This where cyber-security standards come in. In 2002, the International Society for Automation created and distributed the ISA-99 cyber security document to those in industrial automation sectors in order to inform them of how to protect themselves from the cyber security threats of the time. In its present state, the ISA/IEC-62443 standard is made up of a series of standards, reports, and other documentation that define the procedures required to enable network operators to implement secure industrial automation and control systems. One of the biggest strengths to the ISA/IEC-62443 standard is that it has been written to cover multiple industrial sectors in its scope and can also be used within similar control systems in adjacent markets. Because of this, it has become the go-to standard recognized and incorporated by multiple countries and organizations.
Outlining the Goals of the IEC-62443 Series
So, what does the ISA/IEC-62443 standard aim to do? Much like the original 2002 ISA-99 document, the objective of the ISA/IEC-62443 standard is to improve the safety, integrity, confidentiality, and availability of systems, devices, and components that make up industrial automation and control systems. It also aims to provide criteria for the procurement and implementation of industrial automation and control systems and, by conforming to the requirements of the ISA/IEC-62443 standard, it is hoped that electronic security will be improved while also helping to identify and deal with vulnerabilities. Another aim of the standard is to reduce the risk of confidential data becoming compromised as well as reduce the risk of hardware or software degradation or the failure of control systems or processes. Major equipment suppliers such as Schneider Electric, Honeywell, Siemens, and Yokogawa have chosen to back the ISA/IEC-62443 standard as a foundational standard that could drive enhancements to device security as well as adding features to their own technologies in order to become compliant with the ISA/IEC-62443 standard.
The standard itself is organized into four elements; General, Policies and Procedures, System, and Component. These groups correspond with their overall focus and intended audience.
The general group contains the standard elements that are commonly found throughout the entire series such as descriptions of an industrial automation and control system security lifecycle and use cases illustrating their applications.
Policies & Procedures
The policies and procedures group focusses on industrial automation and control systems security procedures such as cyber security and patch management as well as requirements for suppliers of industrial automation and control systems. Both the general and policies and procedures groups are primarily aimed at asset owners.
The system group is self-explanatory in that it covers cyber security requirements at the system level. These include aspects such as environmental technologies, risk assessment, and system design. The system group is primarily aimed at system integrators.
The final component group covers the specific details and requirements for the design and development of industrial automation and control system products covering topics such as the derived requirements applicable to the development of products. The component group is primarily aimed at component suppliers.
The ISA/IEC-62443 standard looks to improve the operation, production, and management of industrial automation and control systems and positive steps are being made with it increasingly being adopted by businesses and organizations across various industries. This adoption by network administrators, component suppliers, and system integrators is proof that standards such as the ISA/IEC-62443 are much needed in a world currently embracing swift and disruptive technological innovation and advancement.