Understanding the ISA/IEC 62443 Series of Standards

Digital transformation paves the way for businesses to improve efficiency, reduce errors, improve overall equipment effectiveness (OEE) and reduce costs. With the promise of operational technology (OT) advances, comes the need for protecting assets through painstakingly applying cybersecurity principles.

To ensure that businesses are on the same cybersecurity page, a best practice is to adopt and follow established criteria such as the ISA/IEC 62443 series of standards.

The International Society of Automation (ISA) established the ISA99 standards committee in 2002, recognizing the need to secure equipment and operations that comprise U.S. critical infrastructure against cyberattacks. Since then, ISA99 has published a comprehensive family of standards and technical reports purpose-built to address securing automation and control systems.

The ISA/IEC 62443 standards are submitted to the International Electrotechnical Commission (IEC) for global adoption as international standards ISA/IEC 62443. The ISA/IEC 62443 series of standards are endorsed by the United Nations. With use cases from more than 20 different industries, the ISA/IEC 62443 series of standards has demonstrated its utility in all industry verticals that use operational technology systems. In 2021, IEC recognized the series as a horizontal standard, meaning that they have been proven to apply to a broad range of different industries.

The IEC 62443 series of standards addresses cybersecurity for OT in automation and control systems. The series is divided into different sections and describes both technical- and process-related aspects of automation and control system cybersecurity. The series is also known as ISA/IEC 62443 in recognition of the fact that much of the initial development was done by the ISA99 committee of ISA.

Cybersecurity topics are divided by stakeholder category/roles including:

• the operator

• the service providers (system integration and maintenance)

• the component/system manufacturers.

The different roles follow a risk-based approach to prevent and manage security risks in their activities. The ISA/IEC 62443 series of standards defines requirements and processes for implementing and maintaining electronically secure industrial automation and control systems (IACS). These standards set best practices for security and provide a way to assess the level of security performance. Their approach to the cybersecurity challenge is holistic, bridging the gap between OT and information technology (IT) as well as between process safety and cybersecurity.
 

900 volunteers contribute

Steve Mustard, president of National Automation Inc. and former ISA president (2021) explained the work that goes into creating and maintaining the standards. “It’s not just a standard, it’s a multiple set of documents,” he said. “The first versions were in 2005, ‘06, ‘07 and ‘08, and they’re being updated now because they get updated every five years. It became an IEC standard and incorporated Part 2-4 from IEC into that set.”

Mustard said there are around 900 volunteers from all over the world on the ISA99 committee. “Some write content, some review content and some vote on content. They’re in different companies. They’re asset owners, vendors, consultants and educators. They all contribute their time freely. Not all of them are members of ISA, but we’d like them to be,” he added.

“We also have a lot of experts from government organizations and non-government organizations,” continued Mustard. “They put a lot of time in, continuously developing different parts of the standard and technical reports, which are documents that help explain some of the detail in the normative versions of the standards and how you execute that. It’s a lot of work.”

Currently, there is certification for products and systems, and then the development lifecycle for vendors. These standards set cybersecurity benchmarks in all industry sectors that use IACS, including building automation, electric power generation and distribution, medical devices, transportation and process industries such as oil and gas and chemicals.

“Very soon, there will be a site-level assurance program,” explained Mustard. “Parts 2-1 and 3-3 [of ISA/IEC 62443] and many of the other parts of the standard are covering all the requirements in there, much like ISO27001. All the vendors who come along are providing their pieces, but someone has to put them together. The individual projects are great, but it’s the whole ecosystem that you have to certify or validate that the risk is being managed.”
 

Communicating with others

Chris McLaughlin, chief information security officer (CISO) at Johns Manville and one of the many ISA volunteers who are developing the standard, said, “I’d love for there to be an ISO certification at some point. What’s important to us is to be able to demonstrate to physical insurance providers that we have a program that’s working. But at the first stages, you’re just focused on getting all the pieces.”

McLaughlin said insurance companies are asking about cybersecurity. At Johns Manville, he said, “Our physical insurance companies have been doing cyber assessments at each one of our plant locations. Those are our big assets. It would be a big loss if you lost a whole production facility; that’s a significant impact, not just a short-term impact. The insurance companies are asking a lot more cyber questions; they’re asking for network maps. I don’t want to give my insurance provider all those details, so we say: ‘We follow these controls. This is how we generally do it, and we have a third party that has audited it.’”

Anna Burrell, an OT cybersecurity consultant with Deloitte, said, “You have to make sure you’re [implementing ISA/IEC 62443] across all of your estate. These cyber incidents don’t care if it’s on a site. It’s going to hit a business and it’s going to either come into your sites and your OT networks and move up, or it’s going to come in the top and move down. So how do you holistically manage all of that risk end to end?”

“ISA/IEC 62443 is a toolset,” explained Burrell. “It’s a standard to give structure and organization in a way that engineers understand. The way you choose to implement those controls works with other policies and standards. It references that it has to work in conjunction with organizational policies and it gives a structure and a common language. It helps people work together to say, ‘How are we going to do this?’”

Burrell said, “You can assure against [62443] because you can check things, but it’s not enforcing how you do things. I think that’s how it’s different and why it applies across industries and sites, projects and organizations. It’s much wider than necessarily some of the more specific [standards].”
 

The owner/system integrator relationship

Businesses that own automation assets must ensure system integrators are delivering systems that meet specified requirements. System integrators must be involved in the process. Part 2-4 of the standard helps integrators understand the asset owners’ needs so they can convey the essence of those needs to asset owners, which benefits the owner/integrator relationship.

Mustard expressed that Part 2-4 is very much about requirements for system integrators and maintenance providers. “It provides a comprehensive list of requirements that an asset owner would want from a vendor, system integrator or maintenance provider. They’re dealing with multiple organizations, which, without the standard, have their own set of requirements that are similar but not identical. If they all use the same standard, it makes their life a lot easier in terms of responding to the requirements,” he said.

Consider BP, for example, Mustard continued. When they have contracts for work in system integration or maintenance, they develop their own set of requirements that are BP-specific. If you go to Shell, they have their own. They build requirements based on what they have done in the past. They may not necessarily incorporate all the requirements that ISA/IEC 62443 has. “When you have a project, there’s a lot of requirements about basic cyber hygiene you need to do, and those get overlooked sometimes in contracts,” he said.

“If you use ISA/IEC 62443-2-4 as the basis, you have everything covered so you’re not going to forget anything. My recommendation is for asset owners to adopt Part 2-4, and also for the system integrators and maintenance providers to read and understand it and be prepared to respond when asset owners put out a request for services in line with that standard,” Mustard explained.

“The integrator delivers solutions that are meeting those requirements,” explained Burrell. “But ultimately, it’s up to the business who owns these systems to make sure the integrators are delivering systems that meet the requirements to the specified level while testing and validating that the services and the maintenance contracts have been done to meet the requirements and manage that risk across the business.”

“The integrators must deliver solutions to meet the requirements, to make sure that the technology can be implemented securely, or the components are certified and meeting those objectives,” Burrell continued. “But as an asset owner, you have to put that technology into your organization in the right way, make sure it’s meeting your need, and ensure the risk is being managed so that these systems are operating correctly while keeping yourselves safe and production working.”
 

Final thoughts

Training people on ISA/IEC 62443 is an ongoing task. “We find that there’s a shortage of talented people in this space,” said Andre Ristaino, managing director at ISA. “We’ve been funding the development of training classes. For product suppliers, there’s a class called ‘IC47.’ It covers the standards associated with product development. It’s a three- or four-day class, and it also has modules that address requirements for product assessors. We saw that there was a gap with the product assessors at our certification bodies. We’re trying to fill that void as well, and we expect to do additional training in the future.”

“The ISA/IEC 62443 series of standards is out there and information about what needs to be done by asset owners, system integrators and product suppliers is all in there,” said Mustard. “I think people need to follow it. I think product suppliers and system integrators need to do it regardless of whether asset owners ask them to do it because it’s the right thing to do. I think asset owners need to understand the totality of what they need to do, and it’s in there. Certification programs will help provide the verification that it’s being done.”

“Things have improved a lot,” continued Mustard. “A few years ago, we would be talking about 62443 and half the audience wouldn’t have known what it was. It’s encouraging to see so many people who already understand it, and where people are actually applying it and doing real practical things with it. I’m encouraged by that, but we still have a long way to go.”

Additional Resources on ISA/IEB 62443

More information on the ISA/IEC 62443 series of standards can be found on the ISA website. There you will find links to the following resources.

• Published Standards and Technical Reports

• ISA Cybersecurity Certificate Training Program

• ISA Global Cybersecurity Alliance (ISAGCA) website

• Quick Start Guide to ISA/IEC 62443

• Guide to Security Lifecycles in ISA/IEC 62443

• IACS Taxonomy Glossary

• IACS Principal Roles and Responsibilities

• Overview of ISASecure Certification for ISA/IEC 62443

• IoT Security Maturity Model: 62443 Mappings for Asset Owners and Product Suppliers

• ISASecure website for Supplier and Product Certification

This feature originally appeared in AUTOMATION 2024: 1st Annual OT Cybersecurity Trends Report.