ISA / IEC 62443 is a set of standards, guidelines, and good practices for securing Industrial Automation and Control Systems (IACS). Their creators are the International Society of Automation (ISA) and the International Electrotechnical Commission (IEC). This article provides a brief introduction to the ISA / IEC 62443 standards and guidelines, taking into account the perspective of Polish industry 4.0 companies.
The ISA / IEC 62443 set of standards is developed both for industrial infrastructure operators and manufacturers of equipment and software used in Industry 4.0. It is therefore all the more important that in the group of 14 ISA / IEC 62443 standards with different thematic scope, form and level of detail, we focus on those documents that correspond to the needs of a specific company or organization. There are 4 groups of documents:
Graphic 1. ISA / IEC 62443 set of standards
As part of the entire set of the standards described, the operator of an industrial installation, referred to in the nomenclature of standards as the asset owner, receives support and knowledge in the following six steps:
From the perspective of an industrial enterprise, the key standard is IEC 62443-2-1, which describes the process of creating and implementing a cybersecurity management system for industrial control and automation systems. This standard was introduced in the further part of the study.
The ISA / IEC 62443-2-1 standard describes the process for establishing an IACS cybersecurity management system. The recipient of this standard are the so-called asset owners responsible for the design and implementation of the process, for example CISO, CIO or the security director in the organization. When building a CSMS, the first step is to understand what the asset owner is managing. Therefore, the standard specifies the concept of industrial control and automation systems. IACS is a set of personnel, hardware, software and procedures that are part of the industrial process and can contribute to its safe and secure operation.
The standard adopts a similar structure to the more general safety standards, for example from the 27000 family, thanks to which a manager familiar with the process of practical use, for example ISO / IEC 27001, can easily implement work with IEC 62443-2-1. The standard describes three categories of steps to be taken in the process of establishing a CSMS: (1) Risk analysis (2) Responding to mapped risks, (3) Monitoring and improving the CSMS. Detailed requirements regarding the processes, technologies and personnel involved in the implementation of the CSMS are provided in detailed annexes (Annexes A and B). You can find there, among others guidelines on information security policy, access control, intrusion detection systems (IDS), the use of cryptography, physical security, but also, for example, relations with suppliers or security incident management. It is worth pointing out at this point that the entire set of ISA / IEC 62443 standards, including the discussed standard, is based on seven foundational requirements that relate to people, processes and technologies involved in securing IACS. They are:
Managers of industrial companies who have already implemented other standards in their organization, such as ISO 9001 or ISO / IEC 27001, may rightly ask – why do I need ISA / IEC 62443? The answer is primarily the key differences that exist between IT security management and the construction of the IACS security system operating at the IT / OT interface. It must take into account, among others: the possibility of physical threat to employees, damage to the environment or public health in the event of a failure, possible attacks damaging the physical components of the equipment or affecting the integrity of the products on the production line, the need for a much higher availability of the protected system (usually 24 / 7/365), longer maintenance intervals as well as significantly longer service life of system components. One of the ISA / IEC 62443 responses to these specific IACS security challenges is to base company processes on the identification and appropriate combination of three categories of components:
In the first step, the asset owner identifies the relevant system and defines its security levels (target, achieved and capability). According to the standard, four levels of security are available to determine resistance to different levels of threats:
SL 1: Protection against Accidental Security Breach;
SL 2: Protection against intentional security breach by simple means with basic resources, standard skills and low motivation;
SL 3: Protection against intentional security breach by sophisticated means using limited resources, IACS dedicated skills and moderate motivation;
SL 4: Protection against intentional security breach using sophisticated measures with extensive resources, IACS dedicated skills and high motivation.
Asset owners may assign the described levels differently to the different components of the system under review. This should result from the fact that the system is divided into separate “zones” and “pipes”. The former are defined as groups of logical or physical resources that share common security requirements based on factors such as criticality and consequences. The latter are communication-only resource groups that meet the same security requirements. Based on the taxonomy described in this way, employees responsible for cybersecurity are able to create resource matrices with their desired risk levels.
—
If you would like to learn more, please follow our social media accounts for further updates when a new publication is available or sign up to our newsletter.
Fill in the form. Our experts will contact you to arrange individual tests.