Shop
Cancel

New ISA/IEC Standard Provides Auditable Approach to Assessing Cybersecurity Risk

  • September 15, 2020
  • Research Triangle Park, North Carolina

The new standard can be applied across all industry and critical infrastructure sectors that depend on secure IACS operations.

The widely used ISA/IEC 62443 Industrial Automation and Control Systems (IACS) Security standards, developed primarily by the ISA99 standards development committee with simultaneous review and adoption by the International Electrotechnical Commission (IEC), provide a flexible framework to address and mitigate current and future IACS security vulnerabilities. The ISA99 committee draws on the input and knowledge of IACS security experts from across the globe to develop consensus standards that are applicable to all industry sectors and critical infrastructure.

A vital new standard in the series is based on the understanding that each organization that owns and operates an IACS has its own tolerance for risk—and that each IACS represents a unique risk depending on the threats it is exposed to, the likelihood of those threats arising, the inherent vulnerabilities in the system, and the consequences if the system were to be compromised. The new standard, ISA/IEC 62443-3-2: Security Risk Assessment for System Design, defines a comprehensive set of engineering measures to guide organizations through the essential process of assessing the risk of a particular IACS and identifying and applying security countermeasures to reduce that risk to tolerable levels.  

The new standard can be effectively applied across all industry and critical infrastructure sectors that depend on secure IACS operations. Moreover, it provides much-needed guidance to all key stakeholder categories, including asset owners, system integrators, product suppliers, service providers, and compliance authorities.

“Currently, there is wide degree of variability in how industry defines and conducts IACS risk assessments,” says John Cusimano of aeSolutions, who led the ISA99 subgroup that wrote the standard. “ISA/IEC 62443-3-2 establishes fundamental requirements for an IACS risk assessment without being overly prescriptive. The result is a standard that will bring uniformity across industry while still allowing IACS owners and operators to apply any methodology that is compliant with the standard.”  

The new standard is the latest in a string of notable milestones in the ongoing development and growing global application of the ISA/IEC 62443 series. This included a decision by the United Nations Economic Commission for Europe to integrate the widely used standards into its Common Regulatory Framework on Cybersecurity, which serves as an official UN policy position statement for Europe. It also included completion of several key additional standards, including:

  • ISA/IEC 62443-4-1, Product Security Development Life-Cycle Requirements, which specifies process requirements for the secure development of products used in an IACS and defines a secure development lifecycle for developing and maintaining secure products.
  • ISA/IEC 62443-4-2, Technical Security Requirements for IACS Components, which provides the cybersecurity technical requirements for components that make up an IACS, specifically the embedded devices, network components, host components and software applications.

Other standards in the ISA/IEC 62443 series cover terminology, concepts, and models; establishing an IACS security program; patch management; and system security requirements and security levels. All may be accessed at www.isa.org/findstandards.

For more information on ISA99 and the ISA/IEC 62443 series of standards, contact Eliana Brazda, ISA Standards, at ebrazda@isa.org or +1-919-990-9200.

About ISA

The International Society of Automation (isa.org) is a non-profit professional association founded in 1945 to create a better world through automation. ISA advances technical competence by connecting the automation community to achieve operational excellence. The organization develops widely-used global standards; certifies industry professionals; provides education and training; publishes books and technical articles; hosts conferences and exhibits; and provides networking and career development programs for its 40,000 members and 400,000 customers around the world.

ISA created the ISA Global Cybersecurity Alliance (isa.org/ISAGCA) to advance cybersecurity readiness and awareness in manufacturing and critical infrastructure facilities and processes. The Alliance brings end-user companies, automation and control systems providers, IT infrastructure providers, services providers, and system integrators and other cybersecurity stakeholder organizations together to proactively address growing threats.

ISA owns Automation.com, a leading online publisher of automation-related content, and is the founding sponsor of The Automation Federation (automationfederation.org), an association of non-profit organizations serving as “The Voice of Automation.” Through a wholly owned subsidiary, ISA bridges the gap between standards and their implementation with the ISA Security Compliance Institute (isasecure.org) and the ISA Wireless Compliance Institute (isa100wci.org). 

The new standard can be applied across all industry and critical infrastructure sectors that depend on secure IACS operations.

The widely used ISA/IEC 62443 Industrial Automation and Control Systems (IACS) Security standards, developed primarily by the ISA99 standards development committee with simultaneous review and adoption by the International Electrotechnical Commission (IEC), provide a flexible framework to address and mitigate current and future IACS security vulnerabilities. The ISA99 committee draws on the input and knowledge of IACS security experts from across the globe to develop consensus standards that are applicable to all industry sectors and critical infrastructure.

A vital new standard in the series is based on the understanding that each organization that owns and operates an IACS has its own tolerance for risk—and that each IACS represents a unique risk depending on the threats it is exposed to, the likelihood of those threats arising, the inherent vulnerabilities in the system, and the consequences if the system were to be compromised. The new standard, ISA/IEC 62443-3-2: Security Risk Assessment for System Design, defines a comprehensive set of engineering measures to guide organizations through the essential process of assessing the risk of a particular IACS and identifying and applying security countermeasures to reduce that risk to tolerable levels.  

The new standard can be effectively applied across all industry and critical infrastructure sectors that depend on secure IACS operations. Moreover, it provides much-needed guidance to all key stakeholder categories, including asset owners, system integrators, product suppliers, service providers, and compliance authorities.

“Currently, there is wide degree of variability in how industry defines and conducts IACS risk assessments,” says John Cusimano of aeSolutions, who led the ISA99 subgroup that wrote the standard. “ISA/IEC 62443-3-2 establishes fundamental requirements for an IACS risk assessment without being overly prescriptive. The result is a standard that will bring uniformity across industry while still allowing IACS owners and operators to apply any methodology that is compliant with the standard.”  

The new standard is the latest in a string of notable milestones in the ongoing development and growing global application of the ISA/IEC 62443 series. This included a decision by the United Nations Economic Commission for Europe to integrate the widely used standards into its Common Regulatory Framework on Cybersecurity, which serves as an official UN policy position statement for Europe. It also included completion of several key additional standards, including:

  • ISA/IEC 62443-4-1, Product Security Development Life-Cycle Requirements, which specifies process requirements for the secure development of products used in an IACS and defines a secure development lifecycle for developing and maintaining secure products.
  • ISA/IEC 62443-4-2, Technical Security Requirements for IACS Components, which provides the cybersecurity technical requirements for components that make up an IACS, specifically the embedded devices, network components, host components and software applications.

Other standards in the ISA/IEC 62443 series cover terminology, concepts, and models; establishing an IACS security program; patch management; and system security requirements and security levels. All may be accessed at www.isa.org/findstandards.

For more information on ISA99 and the ISA/IEC 62443 series of standards, contact Eliana Brazda, ISA Standards, at ebrazda@isa.org or +1-919-990-9200.

About ISA

The International Society of Automation (isa.org) is a non-profit professional association founded in 1945 to create a better world through automation. ISA advances technical competence by connecting the automation community to achieve operational excellence. The organization develops widely-used global standards; certifies industry professionals; provides education and training; publishes books and technical articles; hosts conferences and exhibits; and provides networking and career development programs for its 40,000 members and 400,000 customers around the world.

ISA created the ISA Global Cybersecurity Alliance (isa.org/ISAGCA) to advance cybersecurity readiness and awareness in manufacturing and critical infrastructure facilities and processes. The Alliance brings end-user companies, automation and control systems providers, IT infrastructure providers, services providers, and system integrators and other cybersecurity stakeholder organizations together to proactively address growing threats.

ISA owns Automation.com, a leading online publisher of automation-related content, and is the founding sponsor of The Automation Federation (automationfederation.org), an association of non-profit organizations serving as “The Voice of Automation.” Through a wholly owned subsidiary, ISA bridges the gap between standards and their implementation with the ISA Security Compliance Institute (isasecure.org) and the ISA Wireless Compliance Institute (isa100wci.org).