The ISA/IEC 62443 series of standards, developed by the ISA99 committee and adopted by the International Electrotechnical Commission, provides a flexible framework to address and mitigate current and future security vulnerabilities in industrial automation and control systems. These standards not only address configuration weaknesses to harden systems against vulnerabilities, but they also help address design considerations for the infrastructure used to run industrial equipment. This approach will help with the convergence of Information Technology (IT) and Operation Technology (OT), raising security and increasing safety. The following diagram, courtesy of ISA, illustrates the status of the various work products in the ISA/IEC 62443 series standards and technical reports.
IEC 62443 Principles
According to IEC 62443-1-1, an Industrial Automation and Control System (IACS) is a “collection of processes, personnel, hardware, and software that can affect or influence the safe, secure and reliable operation of an industrial process.” The key standards in the IEC 62443 series are the following:
- IEC 62443-2-4, which covers the policies and practices for system integration
- IEC 62443-4-1, which covers the secure development lifecycle requirements
- IEC 62443-4-2, which covers the IACS components security specifications
- IEC 62443-3-3, which covers the security requirements and the security levels
The ISA/IEC 62443 series of standards see cybersecurity as an ongoing process and not as a goal that has to be reached. Also, it caters for the development of IACS components that are secure-by-design. The integration of these components into an industrial environment must be governed by defense-in-depth policies and practices. To help raise awareness of the ISA/IEC 62443 standard, a Global Cybersecurity Alliance has been formed. This alliance is made up of industrial end users, automation providers, IT infrastructure providers, insurance providers, and cybersecurity providers like Tripwire. These members have formed four different initial workgroups around awareness, adoption, education, and compliance. Part of the goals of these working groups is to meet the five overall objectives of the alliance. The primary goal is to accelerate the expansion and adoption of the ISA/IEC 62443 standards. To help with the adoption, the alliance will raise awareness through various marketing initiatives. On the human connection side, the two primary goals will be to develop the skills of the workforce to meet the needs of securing the industrial world as well as creating an avenue for that workforce to share information with each other. The final objective will be continually assessing the 62443 standards in order to ensure it meets the needs for organization who are adopting it. If your organization is interested in becoming a member, reach out to the ISA GCA for more information. By becoming a member, you can help the ISA/IEC 62443 become the gold standard for industrial cybersecurity. Only by having information from a diverse group of organizations can this standard be valuable in defending against the ever-increasing threats facing industrial systems. You can also attend the following events in 2020 to meet up with members of ISA GCA:
- 20-23 January 2020: S4x20, Miami, Florida
- 21-23 January 2020: Texas A&M 75th Annual Instrumentation and Automation Symposium for the Process Industries, College Station, Texas
- 3-6 February 2020: ARC Industry Forum, Orlando, Florida
- 20 February 2020: LOGIIC Workshop, Houston, Texas
- 24-28 February 2020: RSA Conference, San Francisco, California
- May/June 2020: ISA Cybersecurity Standards Implementation Conference, Galveston, Texas