The ISA/IEC 62443 series of standards, developed by the ISA99 committee and adopted by the International Electrotechnical Commission, provides a flexible framework to address and mitigate current and future security vulnerabilities in industrial automation and control systems.

These standards not only address configuration weaknesses to harden systems against vulnerabilities, but they also help address design considerations for the infrastructure used to run industrial equipment. This approach will help with the convergence of Information Technology (IT) and Operation Technology (OT), raising security and increasing safety.

The following diagram, courtesy of ISA, illustrates the status of the various work products in the ISA/IEC 62443 series standards and technical reports.

ISA Global Cybersecruity Alliance: Your Expertise is Needed

IEC 62443 Principles

According to IEC 62443-1-1, an Industrial Automation and Control System (IACS) is a “collection of processes, personnel, hardware, and software that can affect or influence the safe, secure and reliable operation of an industrial process.”

The key standards in the IEC 62443 series are the following:

  • IEC 62443-2-4, which covers the policies and practices for system integration
  • IEC 62443-4-1, which covers the secure development lifecycle requirements
  • IEC 62443-4-2, which covers the IACS components security specifications
  • IEC 62443-3-3, which covers the security requirements and the security levels

The ISA/IEC 62443 series of standards see cybersecurity as an ongoing process and not as a goal that has to be reached. Also, it caters for the development of IACS components that are secure-by-design. The integration of these components into an industrial environment must be governed by defense-in-depth policies and practices.

To help raise awareness of the ISA/IEC 62443 standard, a Global Cybersecurity Alliance has been formed. This alliance is made up of industrial end users, automation providers, IT infrastructure providers, insurance providers, and cybersecurity providers like Tripwire. These members have formed four different initial workgroups around awareness, adoption, education, (Read more...)