Support

Leveraging Compliance with the ISA/IEC 62443 Standard for ICS

January 24, 2022

What is ISA/IEC 62443?

Industrial Control Systems (ICS) and the Industrial Internet of Things (IIoT) include increasingly intelligent, connected industrial and manufacturing devices. ICS connected to networks such as the internet benefit from network automation, convergence, and remote management.

But cybercriminals gain unauthorized access to ICS via these networks. The risks from this access include cyberattacks that ignite physical and data disasters, resulting in intellectual property theft and the loss of essential services. ICS breaches can lead organizations to experience reputational damage, fines, and loss of customers, business, and revenues.

In 2002, the International Society of Automation (ISA) responded to the ICS cybersecurity plight, forming the ISA99 committee, which undertook the development of ISA99, a series of standards and documents on ICS cybersecurity. The first ISA99 documents surfaced in 2007.

By 2010, the ISA adopted the ANSI/ISA-62443 numbering convention for ISA99 to align with the International Electrotechnical Commission (IEC) adoption process for IEC 62443. The ANSI/ISA-62443 and the IEC 62443 are identical. For expediency, industry participants often refer to them as a single standard, the ISA/IEC 62443. The ISA and the IEC continue to evolve the ISA/IEC 62443 standard.

The ISA/IEC 62443 series of standards shapes a malleable framework of security controls designed to mitigate existing and eventual ICS vulnerabilities and risks in the face of cyberattacks. The ISA taps global security experts who agree on new standards and technical reports for the ISA/IEC 62443. New and updated standards apply to every industry sector and category of critical infrastructure as new vulnerabilities come to light.

National committees in the IEC settle on a series of common ISA/IEC 62443 standards for ICS cybersecurity. The documents that proceed from the standard define ICS security techniques, processes, and procedures to aid organizations in mitigation and risk reduction for security vulnerabilities in ICS.

The ISA is studying ISA/IEC 62443 product certification and compliance for IIoT devices, which should accelerate the standardization of IIoT for Industry 4.0 for interoperability and integration.

ICS security challenges industry participants

The challenges driving ISA/IEC 62443 adoption include cybersecurity risks to ICS installations and networks. National critical infrastructure relying on ICS are subject to high-profile nation-state attacks such as ransomware. Ransomware can make essential services unavailable and threaten national security. Third parties introduce cybersecurity risks to ICS when bad actors breach their networks en route to organizations supporting ICS.

Organizations need to maintain OT cybersecurity. National critical infrastructure demands a standard security controls framework to protect ICS from nation-state cyber incursions. Every organization relies on third parties that can introduce cyberattacks on ICS. Organizations require a common approach to cybersecurity for ICS and IIoT in their supply and value chains.

Complying with ISA/IEC 62443

ISA/IEC 62443 compliance has several benefits. The ISA/IEC 62443 standard engenders consistency in ICS cybersecurity. Organizations can adopt and enforce security controls that work reliably across devices, networks, and infrastructure based on a single congruous framework.

ISA/IEC 62443 compliance addresses security gaps through OT security risk assessments, which incorporate data and results from previous assessments. Compliance builds in periodic reviews of OT cybersecurity using the framework of controls as a mirror to reflect remaining gaps.

ISA/IEC 62443 Product Security Development Lifecycle Requirements in ISA/IEC 62443-4-1 ensure that vendors creating ICS products and components follow a secure development lifecycle. The lifecycle bakes security into ICS products and maintains security from product inception through the product's life and into product retirement.

Product Security Development Lifecycle Requirements orchestrate ICS security, secure product design and implementation, verify and validate ICS products, deal with defective products, manage software patching, and enforce end-of-life constraints, including product disposition.

ICS asset owners operating in multiple sectors count on ISA/IEC 62443 as a single source of truth for OT cybersecurity programs for ICS cybersecurity. The standard reduces cyber risk for organizations that deploy ICS in any sector globally through an internationally scrutinized approach to securing ICS. ICS vendors can certify products via the ISA/IEC 62443 standard for acceptance in an increasing plethora of applications.

ISA/IEC 62443 and its accompanying standards form a cornerstone for securing OT in an interoperable and cross-compatible way, interweaving compliance throughout the supply chain. ISA/IEC 62443 is a common OT standard in transportation, utilities, oil and gas, pharmaceuticals, chemical, healthcare, and higher education.

Lawmaking bodies such as the New York state legislature reference the ISA/IEC 62443 standard in proposed cybersecurity bills. Compliance with a single standard leads to industry and regulatory compliance.

Recommendations

Organizations, stakeholders, and ICS asset owners should unite to catalog and inventory ICS to enable security risk assessments. Security risk assessments allow organizations to identify ICS vulnerabilities and review existing controls for security gaps and general fitness for securing ICS.

ISA/IEC 62443 compliance is not a once for all undertaking. Once you understand your current risks and controls, you'll want to list and assign criticality to the controls you should implement next for security and competitive advantage.

Organizations can remove manual steps and automate compliance and reporting across ICS implementations for transparency into ICS controls and compliance and to reign in operational costs, increase efficiencies, and wield compliance as a symbol of business agility.

Certified industry partners and domain experts in ISA/IEC 62443 are eagerly waiting to guide organizations in their quest for compliance nirvana.

To learn more, check out the Applying Critical ISA/IEC 62443 Controls Compliance Guide, which overviews how Industrial Defender helps organizations to automate and report on ISA/IEC 62443 compliance, addressing the standards' Security program requirements for ICS asset owners and System Security Requirements and Security Levels.