Understanding the ISA/IEC 62443 Series of Standards

Digital transformation paves the way for businesses to improve efficiency, reduce errors, improve overall equipment effectiveness (OEE) and reduce costs. With the promise of operational technology (OT) advances, comes the need for protecting assets through painstakingly applying cybersecurity principles.

To ensure that businesses are on the same cybersecurity page, a best practice is to adopt and follow established criteria such as the ISA/IEC 62443 series of standards.

The International Society of Automation (ISA) established the ISA99 standards committee in 2002, recognizing the need to secure equipment and operations that comprise U.S. critical infrastructure against cyberattacks. Since then, ISA99 has published a comprehensive family of standards and technical reports purpose-built to address securing automation and control systems.

The ISA/IEC 62443 standards are submitted to the International Electrotechnical Commission (IEC) for global adoption as international standards ISA/IEC 62443. The ISA/IEC 62443 series of standards are endorsed by the United Nations. With use cases from more than 20 different industries, the ISA/IEC 62443 series of standards has demonstrated its utility in all industry verticals that use operational technology systems. In 2021, IEC recognized the series as a horizontal standard, meaning that they have been proven to apply to a broad range of different industries.

The IEC 62443 series of standards addresses cybersecurity for OT in automation and control systems. The series is divided into different sections and describes both technical- and process-related aspects of automation and control system cybersecurity. The series is also known as ISA/IEC 62443 in recognition of the fact that much of the initial development was done by the ISA99 committee of ISA.

Cybersecurity topics are divided by stakeholder category/roles including:

• the operator

• the service providers (system integration and maintenance)

• the component/system manufacturers.

The different roles follow a risk-based approach to prevent and manage security risks in their activities. The ISA/IEC 62443 series of standards defines requirements and processes for implementing and maintaining electronically secure industrial automation and control systems (IACS). These standards set best practices for security and provide a way to assess the level of security performance. Their approach to the cybersecurity challenge is holistic, bridging the gap between OT and information technology (IT) as well as between process safety and cybersecurity.
 

900 volunteers contribute

Steve Mustard, president of National Automation Inc. and former ISA president (2021) explained the work that goes into creating and maintaining the standards. “It’s not just a standard, it’s a multiple set of documents,” he said. “The first versions were in 2005, ‘06, ‘07 and ‘08, and they’re being updated now because they get updated every five years. It became an IEC standard and incorporated Part 2-4 from IEC into that set.”

Mustard said there are around 900 volunteers from all over the world on the ISA99 committee. “Some write content, some review content and some vote on content. They’re in different companies. They’re asset owners, vendors, consultants and educators. They all contribute their time freely. Not all of them are members of ISA, but we’d like them to be,” he added.

“We also have a lot of experts from government organizations and non-government organizations,” continued Mustard. “They put a lot of time in, continuously developing different parts of the standard and technical reports, which are documents that help explain some of the detail in the normative versions of the standards and how you execute that. It’s a lot of work.”

Currently, there is certification for products and systems, and then the development lifecycle for vendors. These standards set cybersecurity benchmarks in all industry sectors that use IACS, including building automation, electric power generation and distribution, medical devices, transportation and process industries such as oil and gas and chemicals.

“Very soon, there will be a site-level assurance program,” explained Mustard. “Parts 2-1 and 3-3 [of ISA/IEC 62443] and many of the other parts of the standard are covering all the requirements in there, much like ISO27001. All the vendors who come along are providing their pieces, but someone has to put them together. The individual projects are great, but it’s the whole ecosystem that you have to certify or validate that the risk is being managed.”
 

Communicating with others

Chris McLaughlin, chief information security officer (CISO) at Johns Manville and one of the many ISA volunteers who are developing the standard, said, “I’d love for there to be an ISO certification at some point. What’s important to us is to be able to demonstrate to physical insurance providers that we have a program that’s working. But at the first stages, you’re just focused on getting all the pieces.”

McLaughlin said insurance companies are asking about cybersecurity. At Johns Manville, he said, “Our physical insurance companies have been doing cyber assessments at each one of our plant locations. Those are our big assets. It would be a big loss if you lost a whole production facility; that’s a significant impact, not just a short-term impact. The insurance companies are asking a lot more cyber questions; they’re asking for network maps. I don’t want to give my insurance provider all those details, so we say: ‘We follow these controls. This is how we generally do it, and we have a third party that has audited it.’”