The most popular Cybersecurity standards and frameworks are primarily aimed at IT environments. ISA, an established organization that has been developing standards for automation for many years, developed the ISA/IEC 62443 standards. They are purpose-built to address security issues unique to industrial automation and control systems (IACS) and operational technology (OT).
Unlike the more general NIST Cybersecurity Framework (CSF) or ISO 2700x guidelines, ISA/IEC 62443 (IEC 62443, for short) provides a series of requirements and methods to manage security challenges in IACS and industrial environments.
The ISA/IEC 62443 series of standards, developed by the ISA99 committee and adopted by the International Electrotechnical Commission (IEC), provides a flexible framework to address and mitigate current and future security vulnerabilities in industrial automation and control systems (IACSs). The committee draws on the input and knowledge of IACS security experts from across the globe to develop consensus standards that are applicable to all industry sectors and critical infrastructure.
The IEC 62443 documents are structured into a multi-tier grouping of four layers.
IEC 62443 standards overview - courtesy of ISA
General: Introductory information, vocabularies, concepts, and example use cases.
Policies and Procedures: Program requirements, patching, implementation guidance, etc.
System: Assessment approaches, security requirements levels and technologies.
Component: Product lifecycle and technical requirements for components used within a system
The ISA/IEC 62443 standards do not directly supersede nor replace the ISA95 and Purdue models. Instead, they leverage previous concepts, and divide security and management of cyber risk into several areas. These cover not only cyber security reference architectures, but also guidance for security processes, requirements, technology, controls, security acceptance/factory testing, product development, security lifecycles, and a cybersecurity management system (CSMS).
The 62443 standards reach beyond ISA95 in terms of coverage, cybersecurity and modern concepts, but ISA95 and the Purdue models may still have value for organizations that have specific security requirements, for example when Industrial Internet of Things (IIoT) devices are connected directly to the Internet or the cloud.