Cybersecurity is a Global Imperative
ISA/IEC 62443 standard?
The most popular Cybersecurity standards and frameworks are primarily aimed at IT environments. ISA, an established organization that has been developing standards for automation for many years, developed the ISA/IEC 62443 standards. They are purpose-built to address security issues unique to industrial automation and control systems (IACS) and operational technology (OT).
Unlike the more general NIST Cybersecurity Framework (CSF) or ISO 2700x guidelines, ISA/IEC 62443 (IEC 62443, for short) provides a series of requirements and methods to manage security challenges in IACS and industrial environments.
The ISA/IEC 62443 series of standards, developed by the ISA99 committee and adopted by the International Electrotechnical Commission (IEC), provides a flexible framework to address and mitigate current and future security vulnerabilities in industrial automation and control systems (IACSs). The committee draws on the input and knowledge of IACS security experts from across the globe to develop consensus standards that are applicable to all industry sectors and critical infrastructure.
The IEC 62443 documents are structured into a multi-tier grouping of four layers.
IEC 62443 standards overview - courtesy of ISA
General: Introductory information, vocabularies, concepts, and example use cases.
Policies and Procedures: Program requirements, patching, implementation guidance, etc.
System: Assessment approaches, security requirements levels and technologies.
Component: Product lifecycle and technical requirements for components used within a system
The ISA/IEC 62443 standards do not directly supersede nor replace the ISA95 and Purdue models. Instead, they leverage previous concepts, and divide security and management of cyber risk into several areas. These cover not only cyber security reference architectures, but also guidance for security processes, requirements, technology, controls, security acceptance/factory testing, product development, security lifecycles, and a cybersecurity management system (CSMS).
The 62443 standards reach beyond ISA95 in terms of coverage, cybersecurity and modern concepts, but ISA95 and the Purdue models may still have value for organizations that have specific security requirements, for example when Industrial Internet of Things (IIoT) devices are connected directly to the Internet or the cloud.
Why ICS/OT Infrastructure is Insecure
Industrial control system (ICS)/operational technology (OT) infrastructure security is different in many ways from informational technology (IT) security, and one of the main reasons is the reverse confidentiality, integrity, availability (CIA) trade. In OT infrastructure, availability is the highest priority, and because of this implementing cybersecurity solutions to secure OT infrastructure is a very crucial task. It requires good command over proposed cybersecurity solutions, security standards/framework, ICS functions, and their operations. Here, we will cover the aspects that make ICS/OT infrastructure insecure.
A Practical Approach to Adopting the IEC 62443 Standards
From cybersecurity strategy to technical projects, many companies struggle with how to put theory into practice for industrial control systems (ICS). Although it is difficult to completely cover the full range of the IEC
ISA and MBI Join Forces to Answer High Demand for Industrial Cybersecurity Training in Germany
ISA and MBI Join Forces to Answer High Demand for Industrial Cybersecurity Training in Germany Research Triangle Park, North Carolina The International Society of Automation (ISA) today announced that Maschinenbau Institut GmbH (MBI), a service
Leveraging ISA 62443-3-2 For IACS Risk Assessment and Risk Related Strategies Available Now!
Leveraging ISA 62443-3-2 For IACS Risk Assessment and Risk Related Strategies Available Now! In his white paper, "Leveraging ISA 62443-3-2 For IACS Risk Assessment and Risk Related Strategies," author Hal Thomas provides the reader with