ISA/IEC 62443 Explained: Best Practices for IACS Cybersecurity

ISA/IEC 62443 Explained: Best Practices for IACS Cybersecurity

Automation, digitalization and increased integration of IoT devices bring increased efficiency and productivity for industrial organizations, but they have also opened new avenues for cyberattacks. The impact from a successful cyberattack on industrial automation and control systems (IACS) can be devastating since the losses typically extend beyond data and privacy loss, including the endangerment of employees or as severe as the loss of a life. The stakes are high for failure to secure essential IACS, which exist everywhere.

Given the critical nature of IACS and the impact from an attack on essential infrastructure, organizations are taking a hard look at their cybersecurity posture, and many are using the ISA/IEC 62443 framework to help guide their IACS system security strategies.

What Is ISA/IEC 62443?

The ISA/IEC 62443 series of standards was developed by the ISA99 Committee and the IEC Technical Committee 65/Working Group 10 to define requirements and processes for implementing and maintaining electronically secure IACS. These standards set best practices for security and provide a way to assess the level of security performance.

Maintaining compliance with ISA/IEC 62443 can help reduce the likelihood of cyberattacks and help organizations avoid serious regulatory, financial and safety consequences while ensuring that operations are achieving comprehensive levels of ICS and cyber-physical security.

Who Should Use the ISA/IEC 62443 Standards?

The audience for this standard is intended for asset owners, system integrators, product suppliers, service providers and where appropriate, compliance authorities. By adhering to the standards, organizations can enhance their security posture and minimize cyber risk.

ISA/IEC 62443 Family of Standards

The ISA/IEC 62443 series of standards and technical reports are arranged into four groups, corresponding to different focuses and audiences. Let’s examine the four groups.

Part One: General

The first part is a general overview of the concepts and processes that will be used throughout the framework. It is in this section that we find the foundation upon which everything else rests.

Part 1-1: Terminology, concepts, and models

introduces the concepts and models used throughout the series. The intended audience includes anyone wishing to become familiar with the fundamental concepts that form the basis for the series.

Part 1-2: Master glossary of terms and definitions

Offers a list of terms and abbreviations used throughout the series.

Part 1-3: System security conformance metrics

Describes a methodology to develop quantitative metrics derived from the process and technical requirements in the standards.

Part 1-4: IACS security lifecycle and use cases

Provides a more detailed description of the underlying lifecycle for IACS security, as well as several use cases that illustrate various applications.

Part Two: Policies and Procedures

This part provides guidelines for creating and maintaining a secure system by focusing on policies and risk management.

Part 2-1: Establishing an IACS security program

Deals with establishing an IACS security program and the requirements for initiating an effective IACS cybersecurity management system. The intended audiences include asset owners who are responsible for the design and implementation of the security program.

Part 2-2: IACS security program ratings  

Deals with IACS security program ratings by providing a way to evaluate the level of protection provided by an operational IACS against the requirement.

Part 2-3: Patch management in the IACS environment  

This part provides guidance on patch management, a critical part of any IACS cybersecurity program.

Part 2-4: Security program requirements for IACS service providers

This section is for integrators and IACS service providers. The section outlines the security capabilities that integrators need to offer to asset owners during the integration and maintenance of any automation solution.

Part 2-5: Implementation guidance for IACS asset owners

This section is for asset owners, and it defines the requirements for operating a successful IACS cybersecurity program.

Part Three: System

This part addresses the requirements for designing and implementing a secure IAS system.

Part 3-1: Security technologies for IACS

Focuses on the security technologies and tools that asset owners can use in their IACS environments. These include tools for monitoring, incident response, and general protection.

Part 3-2: Security risk assessment for system design

Sets out the requirements for defining a system under consideration. It includes instructions on how to partition the system under consideration into zones to assess each zone’s risks and establish its security level.  Within this section there is also information on the design, implementation, operation and maintenance of technical security measures.

Part 3-3: System security requirements and security levels

Defines the security requirements and the security level required to build an IACS program that that is protected against cyber threats and casual or coincidence events. These requirements are a critical in developing control systems.

Part Four: Component and Requirements

The final category of the ISA/IEC 62443 framework deals with the development lifecycle for industrial network components.

Part 4-1: Secure product development lifecycle requirements

Defines the security development life cycle requirements for control systems and products. This includes coding guidelines, verification and validation, patch management, defect management and product end of life. These requirements can be applied to new and existing processes.

Part 4-2: Technical security requirements for IACS components

Provides detailed technical control system component requirements (CRs) associated with the seven foundational requirements (FRs), including defining the requirements for control system capability security levels and their components, SLC (component).

ISA/IEC 62443 standards
ISA/IEC 62443 Series of Standards - Nozomi Networks helps organizations apply Part 2-1 and 3-3.

How Nozomi Networks Helps with ISA/IEC 62443 Compliance

With our deep understanding of OT requirements and needs, Nozomi Networks has developed both a mapping guide and a content pack for the ISA/IEC 62443 standards to help asset owners, integrators, and service providers measure their compliance level with this standard.

In our mapping guide, we describe which security controls within the ISA/IEC 62443 framework that our platform helps organizations maintain compliance with. You can download the mapping guide below.