What is the ISA/IEC 62443 framework?
The International Society of Automation (ISA) and the International Electrotechnical Commission (IEC) joined forces to develop the 62443 series.
ISA/IEC 62443 is a non-regulatory compliance series that addresses the cybersecurity risks of Industrial Automation and Control Systems (IACS) throughout their lifecycle. These requirements were originally developed for the industrial process industry but have since been extended to building automation, medical devices and transportation industries.
ISA collaborated with IEC to address the growing need to strengthen the cybersecurity of IACS. These documents present a standardized approach to addressing the cybersecurity of IACS. They are available for purchase from both organizations.
The standard’s purpose is to ensure confidentiality, integrity and availability of components and/or systems used for manufacturing or control, as well as to provide a methodology for securing control systems.
There are four groups with 14 implementation documents in total, as follows:
- General- This group includes four implementation documents
- Policies and Procedures- Contains four implementation documents as well
- System- Includes three implementation documents
- Component– Consists of two implementation documents
However, out of 14 standards, only nine of them have been published and only four of those have certification options. These four are known as the key standards. They are:
- 62443-2-4: This standard includes the policies and practices for system integration
- 62443-3-3: Contains the security requirements and the security levels
- 62443-4-1: Addresses the secure development lifecycle requirements
- 62443-4-2: Outlines the IACS components security specifications
The ISA/IEC 62443 standards are applicable to asset owners, product suppliers and service providers (i.e., integration or maintenance service providers).
Aside from achieving compliance with one or more of the four certifying standards, organizations are given a maturity level with each certification, allowing them to increase their maturity level annually (when they renew their certification).
What are the requirements for ISA/IEC 62443 compliance?
The four key standards have different requirements in order to achieve compliance and many of those are associated with the seven Foundational Requirements (FRs).
Foundational Requirements form the basis for technical requirements throughout the 62443 series::
- FR 1- Identification and authentication control (IAC)
- FR 2- Use control (UC)
- FR 3- System integrity (SI)
- FR 4- Data confidentiality (DC)
- FR 5- Restricted data flow (RDF)
- FR 6- Timely response to events (TRE)
- FR 7- Resource availability (RA)
If a product does not have the required security functionality, the system can still meet the requirement if there is a compensating control in the system.
A company can be certified through ISA or IEC at https://isasecure.org/en-US/Certification and IECEE Cert, respectively.
Besides for achieving compliance, organizations receive a maturity level. Maturity Levels are used to measure how thoroughly requirements are met. The Maturity Model is based on the Capability Maturity Model Integration (CMMI).
ISA/IEC 62443 goes hand in hand with the IEC 62351 standard, which provides some security solutions, as well as the ISO/IEC 27000 series (particularly ISO/IEC 27019 for the energy industry).
ISA/IEC 62443 is partially mapped to both the NIST CSF and ISO 27001.
Why should you be ISA/IEC 62443 compliant?
The cybersecurity landscape is a dynamic environment that encompasses wide-spread automation systems, aging infrastructure, new vulnerabilities and evolving attacks. IACSs are an attractive target for individuals and organizations trying to inflict harm. Therefore, those responsible for cybersecurity defense must create a cybersecurity strategy that is comprehensive.
To be effective, stakeholders, technologies, processes and procedures all require special consideration. The need for a robust strategy is repeatedly reinforced through cybercriminals taking advantage of vulnerabilities causing security breaches that can force equipment to operate beyond its safety parameters, resulting in equipment damage, environmental releases and placing risk to personnel.
The ISA/IEC 62443 specifications provide essential guidance to end users who seek to secure industrial solutions.
Noncompliance with the ISA/IEC 62443 can have serious consequences including:
- Endangerment of public or employee safety
- National security risk
- Loss of confidential or proprietary information
- Economic loss
- Regulatory violation
- Loss of public confidence
How to achieve compliance?
ISA/IEC 62443 compliance involves determining which of the implementation frameworks are relevant for you, implementing the relevant controls, achieving compliance through difficult audits and certifications, and much more, all at a loss of time, money and productivity. Adding to this complexity is a general lack of in-depth knowledge of the subject matter, which can lead to an inability to build consensus within an organization or the allocation of time and funds to initiatives that fail to deliver the promised benefit.
The Centraleyes platform takes over this tedious process. With its cutting edge dashboards, smart questionnaires and automated remediation planners, designed based on your unique needs and requirements, the platform does the heavy lifting. Centraleyes provides a holistic approach for identifying and managing cybersecurity risks for IACSs, interpreting the many ISA/IEC 62443 requirements and applying them to your organization. With its pragmatic approach, Centraleyes provides insight into the four key standards while guiding your organization through the implementation process, ensuring full compliance within a short time frame.
Resources
https://www.iecee.org/dyn/www/f?p=106:48:0
https://isasecure.org/en-US/Certification
https://webstore.iec.ch/searchform&q=62443#
Quick Start Guide: Overview of ISA/IEC 62443 standards (PDF)
The SCADAfence Governance Portal IEC-62443 Standard Compliance