Building a Resilient World:

Welcome to the official blog of the ISA Global Cybersecurity Alliance (ISAGCA).

This blog covers topics on automation cybersecurity such as risk assessment, compliance, educational resources, and how to leverage the ISA/IEC 62443 series of standards.

All Posts

White Paper Excerpt: Implementing an IACS Cybersecurity Program

ISA/IEC 62443 provides a powerful tool to reduce the risk of financial, reputational, human, and environmental impact from cyber-attacks on Industrial Automation and Control Systems (IACS). However, since it is a “horizontal standard”, 62443 is meant to address a wide range of industries, and any specific company is likely to find that while most of the standard applies to their IACS, parts of it may not. For example, some “normative requirements” that are appropriate for an interstate pipeline, may not be relevant to a chemical plant or a discrete manufacturing facility. There are also obvious differences between a large-scale corporation with many sites and thousands of employees, and a small company with a few dozen staff.

It is therefore recommended that each company establishes their own Industrial Automation and Control Systems (IACS) Cybersecurity Program to manage these cybersecurity risks. ISA/IEC 62443 2-1 provides guidance on how to establish a Security Program for IACS asset owners. This process might look like the following.

Fig 1Figure 1 - IACS Cybersecurity Program Workflow

This white paper is intended to address the needs of Owner/Operators of industrial facilities. It will discuss the following:

  • What is an IACS Cybersecurity Program?
  • Preparing an IACS Cybersecurity Program
  • How does an IACS Cybersecurity program relate to IT Cybersecurity?
  • Costs and Benefits of an IACS Cybersecurity Program
  • What to do next

In the coming months, ISA plan to publish additional white papers intended for IACS vendors, suppliers of IACS products and services, Integration/engineering services, and possibly other major stakeholders such as insurers and regulators.

What is an IACS Cybersecurity Program?

An IACS Cybersecurity Program (yellow) defines the company’s IACS security policies, practices, and procedures associated with the operation and design of the company’s industrial facilities.

Fig 2Figure 2 – IACS Cybersecurity Program Concept

As this diagram indicates, the ISA/IEC 62443 standard provides Concepts, Practices, and Requirements that may be included in a corporate IACS cybersecurity program.

Note that a Corporate IACS Cybersecurity program is a necessary first step, however, the Policies, Procedures and Requirements defined in this program, must then be implemented within existing Corporate and Facility procedures if they are to be effective. This implementation should be undertaken as one or more projects, with stated schedules, scopes, and budgets; and must include training and management of change to address human and organizational aspects.

At present, the 62443 standard identifies over 500 separate requirements that may be necessary for a given company’s facilities. It is impractical to search through ISA/IEC 62443 to determine what is necessary for a given project or operating facility. A key objective of the IACS Cybersecurity Program is therefore to establish approved requirements that may then be incorporated in project or facility standards and procedures.

A corporate IACS cybersecurity program must select which ISA 62443 requirements to include for:

  • A company’s Existing Facilities
  • New company projects that involve IACS

As shown in Figure 2, requirements and recommendations from other industry, national, and international standards, may also be considered for inclusion in the company’s IACS Cybersecurity Program. Examples of these might include:

  • ISA standards such as:
    • ISA84 (safety instrumented systems),
    • ISA95 (enterprise integration),
    • ISA100 (Industrial wireless networks), and
    • ISA108 (intelligent device configuration)

Note: Since ISA standards are internally “harmonized”, use of these together with ISA/IEC 62443 may save considerable time and effort for the Owner/Operator.

  • Additional cybersecurity standards and guidelines from NIST, NAMUR, ISO, IEC, and others
  • Standards and guidelines for human factors, risk analysis and risk mitigation.

Many of the above have been aligned with ISA/IEC 62443, including cross-reference documents and other whitepapers.

Examples of government standards include regulations and legislation at national, state, and local levels. These must also be considered when creating the Corporate IACS Cybersecurity Program.

ISA is currently active at US Federal, State, and local government levels, to gain acceptance and standardization of regulations based on ISA/IEC 62443. ISA is also participating in programs to promote use of ISA/IEC 62443 in multiple countries around the world.

To continue reading, download the full white paper here.

Gary Rathwell
Gary Rathwell
Gary Rathwell is currently president of Enterprise Consultants, offering master planning and project management services to industrial clients. He is also active in promoting PERA enterprise integration concepts through the PERA web site that he established, and is working with international bodies including ISA, ISO and IEC to develop enterprise integration and cybersecurity standards. Gary has over thirty years experience in the automation and operation of process and manufacturing facilities.

Related Posts

White Paper Excerpt: Implementing an IACS Cybersecurity Program

ISA/IEC 62443 provides a powerful tool to reduce the risk of financial, reputational, human, and environm...
Gary Rathwell Jan 11, 2022 5:30:00 AM

LOGIIC Endorses ISA Industrial Control Systems Cybersecurity Training

ICS Cybersecurity Training for Remote Staff In late 2019, LOGIIC (Linking the Oil and Gas Industry to Imp...
Brian Peterson Jan 4, 2022 5:30:00 AM

Automation Systems Cybersecurity: From Standards to Practices

From first steps to a sustained response. Improving the state of cybersecurity in critical infrastructure...
Eric Cosman Dec 28, 2021 5:30:00 AM