ISA / IEC 62443 standard

ISA / IEC 62443 is a set of standards, guidelines, and good practices for securing Industrial Automation and Control Systems (IACS). Their creators are the International Society of Automation (ISA) and the International Electrotechnical Commission (IEC). This article provides a brief introduction to the ISA / IEC 62443 standards and guidelines, taking into account the perspective of Polish industry 4.0 companies.

What you’ll find in this article:

  1. ISA / IEC 62443 set of standards – “I run an industrial enterprise, which standard is for me?”
  2. What is IEC 62443-2-1 about – a short description of the standard
  3. Why do I need IEC 62443-2-1 – what are the benefits of implementing the standard

ISA / IEC 62443 set of standards

The ISA / IEC 62443 set of standards is developed both for industrial infrastructure operators and manufacturers of equipment and software used in Industry 4.0. It is therefore all the more important that in the group of 14 ISA / IEC 62443 standards with different thematic scope, form and level of detail, we focus on those documents that correspond to the needs of a specific company or organization. There are 4 groups of documents:

  1. General: Provides introductory information, vocabulary, terms, and case studies.
  2. Policies and Procedures: Provides specific requirements for the organizational level of building and implementing IACS.
  3. System: focus on the issue of safety assessment of implemented procedures and technologies.
  4. Component: relates to the product life cycle and technical requirements for the individual components used in IACS.

Graphic 1. ISA / IEC 62443 set of standards

Source: ISA Global Cybersecurity Alliance, Quick Start Guide: An Overview of ISA / IEC 62443 Standards, www.isa.org/ISAGCA.

As part of the entire set of the standards described, the operator of an industrial installation, referred to in the nomenclature of standards as the asset owner, receives support and knowledge in the following six steps:

  1. Establishing and maintaining CSMS (cyber security management system, CSMS), which takes into account the requirements specific to industrial control and automation systems;
  2. Logically categorize resources into “zones” and “conduits” and perform risk assessments based on existing resources;
  3. Writing of IACS requirements in accordance with the appropriate cybersecurity requirements specification;
  4. Purchase of products and services meeting the above-mentioned requirements;
  5. IACS operation and maintenance;
  6. Assessment of the effectiveness of the introduced IACS cybersecurity management system.

From the perspective of an industrial enterprise, the key standard is IEC 62443-2-1, which describes the process of creating and implementing a cybersecurity management system for industrial control and automation systems. This standard was introduced in the further part of the study.

What does IEC 62443-2-1 apply to

The ISA / IEC 62443-2-1 standard describes the process for establishing an IACS cybersecurity management system. The recipient of this standard are the so-called asset owners responsible for the design and implementation of the process, for example CISO, CIO or the security director in the organization. When building a CSMS, the first step is to understand what the asset owner is managing. Therefore, the standard specifies the concept of industrial control and automation systems. IACS is a set of personnel, hardware, software and procedures that are part of the industrial process and can contribute to its safe and secure operation.

The standard adopts a similar structure to the more general safety standards, for example from the 27000 family, thanks to which a manager familiar with the process of practical use, for example ISO / IEC 27001, can easily implement work with IEC 62443-2-1. The standard describes three categories of steps to be taken in the process of establishing a CSMS: (1) Risk analysis (2) Responding to mapped risks, (3) Monitoring and improving the CSMS. Detailed requirements regarding the processes, technologies and personnel involved in the implementation of the CSMS are provided in detailed annexes (Annexes A and B). You can find there, among others guidelines on information security policy, access control, intrusion detection systems (IDS), the use of cryptography, physical security, but also, for example, relations with suppliers or security incident management. It is worth pointing out at this point that the entire set of ISA / IEC 62443 standards, including the discussed standard, is based on seven foundational requirements that relate to people, processes and technologies involved in securing IACS. They are:

  1. Identification and Authentication,
  2. Usage control,
  3. System integrity,
  4. Data confidentiality,
  5. Limited data flow,
  6. Time-adjusted response to events,
  7. Continuous availability of resources.

Why do I need IEC 62443-2-1

Managers of industrial companies who have already implemented other standards in their organization, such as ISO 9001 or ISO / IEC 27001, may rightly ask – why do I need ISA / IEC 62443? The answer is primarily the key differences that exist between IT security management and the construction of the IACS security system operating at the IT / OT interface. It must take into account, among others: the possibility of physical threat to employees, damage to the environment or public health in the event of a failure, possible attacks damaging the physical components of the equipment or affecting the integrity of the products on the production line, the need for a much higher availability of the protected system (usually 24 / 7/365), longer maintenance intervals as well as significantly longer service life of system components. One of the ISA / IEC 62443 responses to these specific IACS security challenges is to base company processes on the identification and appropriate combination of three categories of components:

  1. Relevant systems (systems under consideration, SuCs),
  2. Security Levels (SLs)
  3. The already mentioned “zones” and “channels”

In the first step, the asset owner identifies the relevant system and defines its security levels (target, achieved and capability). According to the standard, four levels of security are available to determine resistance to different levels of threats:

SL 1: Protection against Accidental Security Breach;

SL 2: Protection against intentional security breach by simple means with basic resources, standard skills and low motivation;

SL 3: Protection against intentional security breach by sophisticated means using limited resources, IACS dedicated skills and moderate motivation;

SL 4: Protection against intentional security breach using sophisticated measures with extensive resources, IACS dedicated skills and high motivation.

Asset owners may assign the described levels differently to the different components of the system under review. This should result from the fact that the system is divided into separate “zones” and “pipes”. The former are defined as groups of logical or physical resources that share common security requirements based on factors such as criticality and consequences. The latter are communication-only resource groups that meet the same security requirements. Based on the taxonomy described in this way, employees responsible for cybersecurity are able to create resource matrices with their desired risk levels.

If you would like to learn more, please follow our social media accounts for further updates when a new publication is available or sign up to our newsletter.

demo scadvance

Request a Demo

Fill in the form. Our experts will contact you to arrange individual tests.

Request a Demo

Fill in the form. Our experts will contact you to arrange individual tests.

Thank you

We will get back to you within 1 business day

style>