Shop
Cancel

New ISA99 international standard on developing products that are cybersecure by design

  • February 15, 2018
  • Research Triangle Park, North Carolina

The ISA/IEC 62443 series of standards, developed by the ISA99 committee as American National Standards and adopted globally by the International Electrotechnical Commission (IEC), is designed to provide a flexible framework to address and mitigate current and future security vulnerabilities in industrial automation and control systems (IACS).

A newly published standard in the series, ISA/IEC 62443-4-1-2018, Security for Industrial Automation and Control Systems Part 4-1: Product Security Development Life-Cycle Requirements, specifies process requirements for the secure development of products used in an IACS. It defines a secure development life-cycle for developing and maintaining secure products. This life-cycle includes security requirements definition, secure design, secure implementation (including coding guidelines), verification and validation, defect management, patch management and product end-of-life.

These requirements can be applied to new or existing processes for developing, maintaining and retiring hardware, software or firmware for new or existing products. The requirements apply to the developer and maintainer of a product, but not to the integrator or user of the product.

"Designing security into products from the beginning of the development lifecycle is critical because it can help eliminate vulnerabilities from products before they ever reach the field," emphasizes Michael Medoff of exida, who led the ISA99 development group for the standard. "We all know how difficult and expensive it can be to constantly have to patch software in the field. The new standard gives us a real opportunity to break the cycle of frequent security patches and to produce products that are secure by design."

The ISA99 standards committee draws on the input and knowledge of IACS security experts from across the globe to develop consensus standards that are applicable to all industry sectors and critical infrastructure. Previous documents in the ISA/IEC 62443 series cover terminology, concepts, and models; establishment of an IACS security program; patch management; and system security requirements and security levels. All may be accessed at www.isa.org/findstandards .

For more information on ISA99 and the ISA/IEC 62443 series of standards, contact Eliana Brazda, ISA Standards, ebrazda@isa.org or +1-919-990-9200.

About ISA

The International Society of Automation (www.isa.org) is a nonprofit professional association that sets the standard for those who apply engineering and technology to improve the management, safety, and cybersecurity of modern automation and control systems used across industry and critical infrastructure. Founded in 1945, ISA develops widely used global standards; certifies industry professionals; provides education and training; publishes books and technical articles; hosts conferences and exhibits; and provides networking and career development programs for its 40,000 members and 400,000 customers around the world.

ISA owns Automation.com, a leading online publisher of automation-related content, and is the founding sponsor of The Automation Federation (www.automationfederation.org), an association of non-profit organizations serving as "The Voice of Automation." Through a wholly owned subsidiary, ISA bridges the gap between standards and their implementation with the ISA Security Compliance Institute (www.isasecure.org) and the ISA Wireless Compliance Institute (www.isa100wci.org).