Understanding the ISA/IEC 62443 Series of Standards
Anna Burrell, an OT cybersecurity consultant with Deloitte, said, “You have to make sure you’re [implementing ISA/IEC 62443] across all of your estate. These cyber incidents don’t care if it’s on a site. It’s going to hit a business and it’s going to either come into your sites and your OT networks and move up, or it’s going to come in the top and move down. So how do you holistically manage all of that risk end to end?”
“ISA/IEC 62443 is a toolset,” explained Burrell. “It’s a standard to give structure and organization in a way that engineers understand. The way you choose to implement those controls works with other policies and standards. It references that it has to work in conjunction with organizational policies and it gives a structure and a common language. It helps people work together to say, ‘How are we going to do this?’”
Burrell said, “You can assure against [62443] because you can check things, but it’s not enforcing how you do things. I think that’s how it’s different and why it applies across industries and sites, projects and organizations. It’s much wider than necessarily some of the more specific [standards].”
The owner/system integrator relationship
Businesses that own automation assets must ensure system integrators are delivering systems that meet specified requirements. System integrators must be involved in the process. Part 2-4 of the standard helps integrators understand the asset owners’ needs so they can convey the essence of those needs to asset owners, which benefits the owner/integrator relationship.
Mustard expressed that Part 2-4 is very much about requirements for system integrators and maintenance providers. “It provides a comprehensive list of requirements that an asset owner would want from a vendor, system integrator or maintenance provider. They’re dealing with multiple organizations, which, without the standard, have their own set of requirements that are similar but not identical. If they all use the same standard, it makes their life a lot easier in terms of responding to the requirements,” he said.
Consider BP, for example, Mustard continued. When they have contracts for work in system integration or maintenance, they develop their own set of requirements that are BP-specific. If you go to Shell, they have their own. They build requirements based on what they have done in the past. They may not necessarily incorporate all the requirements that ISA/IEC 62443 has. “When you have a project, there’s a lot of requirements about basic cyber hygiene you need to do, and those get overlooked sometimes in contracts,” he said.
“If you use ISA/IEC 62443-2-4 as the basis, you have everything covered so you’re not going to forget anything. My recommendation is for asset owners to adopt Part 2-4, and also for the system integrators and maintenance providers to read and understand it and be prepared to respond when asset owners put out a request for services in line with that standard,” Mustard explained.
“The integrator delivers solutions that are meeting those requirements,” explained Burrell. “But ultimately, it’s up to the business who owns these systems to make sure the integrators are delivering systems that meet the requirements to the specified level while testing and validating that the services and the maintenance contracts have been done to meet the requirements and manage that risk across the business.”
“The integrators must deliver solutions to meet the requirements, to make sure that the technology can be implemented securely, or the components are certified and meeting those objectives,” Burrell continued. “But as an asset owner, you have to put that technology into your organization in the right way, make sure it’s meeting your need, and ensure the risk is being managed so that these systems are operating correctly while keeping yourselves safe and production working.”
Final thoughts
Training people on ISA/IEC 62443 is an ongoing task. “We find that there’s a shortage of talented people in this space,” said Andre Ristaino, managing director at ISA. “We’ve been funding the development of training classes. For product suppliers, there’s a class called ‘IC47.’ It covers the standards associated with product development. It’s a three- or four-day class, and it also has modules that address requirements for product assessors. We saw that there was a gap with the product assessors at our certification bodies. We’re trying to fill that void as well, and we expect to do additional training in the future.”
“The ISA/IEC 62443 series of standards is out there and information about what needs to be done by asset owners, system integrators and product suppliers is all in there,” said Mustard. “I think people need to follow it. I think product suppliers and system integrators need to do it regardless of whether asset owners ask them to do it because it’s the right thing to do. I think asset owners need to understand the totality of what they need to do, and it’s in there. Certification programs will help provide the verification that it’s being done.”
“Things have improved a lot,” continued Mustard. “A few years ago, we would be talking about 62443 and half the audience wouldn’t have known what it was. It’s encouraging to see so many people who already understand it, and where people are actually applying it and doing real practical things with it. I’m encouraged by that, but we still have a long way to go.”
-
Bently Nevada 2300/20-RU 2300/20-CN Monitoring controller -
A-B 4100-234-R IMC™ S Class Compact Motion Controllers -
B&R Power Panel 300/400 -
ADLINK cPCI-3840 Processor module -
ACQUISITIONLOGICAL81G -2 -
HIMA K1412B PLC Module -
HIMA K9202B PLC Module -
IS200VTCCH1CBD GE Speedtronic Turbine Control PCB board -
TRICONEX 4200 Digital Output Module -
DEIF SCM-1 PCB CARD Module -
HIMA F3DIO20802 controller plc F3DIO20802 -
HIMA B5233 PLC Module -
HIMA B5322 PLC Module -
HIMA F7105A PLC Module
-
HIMA F7150 PLC Module -
HIMA Z7308 PLC Module -
HIMA F60 PS01 -
TRICONEX 4409 PLC Module -
F8651X HIMA Central module F8651X -
F3236 DIGITAL INPUT MODULE -
HIMA-6E-B HIMA-6E-B Large System Controller -
F8627X HIMA communication module F8627X -
HIMA P8403 PLC Module -
F8628X HIMA F8628X communication module -
F8621A HIMA communication module -
IS200VRTDH1D GE Mark VI Printed Circuit Board -
ABB NIACO2 PLC Module -
ABB NIAMO1 PLC Module
-
HIMAcard F8650X -
HIMA F8652 98465266 PLC Module -
F8652X HIMA Central module -
HIMA 62100 -
HIMA 99-7105233 B5233-1 NSMP -
ABBSPAD 346 C3-AA -
ABBREF543KM127BABB -
ABB 0-63007 M003742626 -
Abb FET3251A0P1B3C0H2M -
ABB 3HAB8800-1 -
ABB 3AUA266001B166 -
ABB3HNM07686-1 -
ABB PQF4-3 TAS -
ABBAC500 DI581-SB1 -
Honeywell 30735863-502 - SWITCH -
Honeywell TK-CCR014 - REDUNDANT NET INTERFACE NEW ORIGINAL FREE EXPEDITED SHIPPING/ -
Honeywell 51403165-400 - new 51403165400/ -
Honeywell318-049-001 quot100 Batteries(Japan Liion2Ah14.8Wh)INTERMEC/ PR2,PR3 P/N -
Honeywell FC-PSU-UNI2450U - Power Supply -
Honeywell 965-0676-010 - WARNING COMPUTER SV -
Honeywell 51403519-160 - Module -
Honeywell 107843 - HOUSING CARBON FILE P/N NE COND # 11438 (4) -
Honeywell VR434VA5009-1000 - Brand new in box Condensing boiler valve DHL fast shipping -
Honeywell SPXCDALMFX - plc new FREE EXPEDITED SHIPPING/ -
Honeywell BCM-PWS - BCM-ETH BCM-MS/TP BCM-MS/TP Network controller setFedEx or DHL -
Honeywell YSTR12D-22/C/-2J0DFA/BE/400/T/-CM.HO.TG.SB.SM,ZS,F1,LP,/FX/,1C-BT - UNMP
-
Honeywell IWS-1603-HW - 90-250VAC 1.0A UNMP -
Honeywell 51304386-150 - MEASUREX Factory Packed -
Honeywell CC-IP0101 - Profibus Gateway Module -
Honeywell CC-PFB401 - / CCPFB401 (NEW IN BOX)
-
Honeywell 50071726 - St 800 Series Pressure Transmitter Remote Diaphragm 11-42VDC -
Honeywell 621-2150 - / 6212150 (NEW NO BOX) -
Honeywell 80360206-001 - USED YAMATAKE CLI BOARD -
Honeywell BMDX001A-001 - ACCURAY / BOARD BMDX001A001 -
Honeywell XCL8010A - New CPU Controller. -
Honeywell PGM-7320 - 1PCS NEW Rae Systems MiniRAE 3000 Portable VOC Monitor#XR -
Honeywell BK-G40 - U65 *FULL INSTALLATION* Gas Meter 3?± Inlet/Outlet Spool NEW UNUSED -
Honeywell DM106-0-B-00-0-R-1-00000-000-E0 - DPR100 250V NSNP -
Honeywell KFD840 - PRIMARY FLIGHT DISPLAY CORE PN: 066-01206-0104 -
Honeywell 51401914-100 - 51400996-100 -
Honeywell TK-PRS021 - Module Via FEDEX/DHL -
Honeywell C7012A1145 - 1PC New UV Flame Detector Expedited Shipping -
Honeywell OV210 - Baxter Bakery Oven Igition Control. For DRO. 00-616973 NEW -
Honeywell 51304431-125 - 1PC New /51304431125 1 year warranty#XR -
Honeywell QPP-0002 - Quad Processor Module / 5 Vdc / Massima 1.2A/24Vdc/max.25mA
-
Honeywell QPP-0002 - Quad Processor Module / 5Vdc / Max. 1.2A/24Vdc/max.25mA
-
Honeywell 8C-PCNT02 - 514543363-275 module
-
Honeywell DPCB21010002 - Tata Printed Circuit Board
-
Honeywell DPCB21010002 - Tata Printed Circuit Board Rev: 0 -
Honeywell 001649-M5T028 - Tata Printed Circuit Board Rev: 0 -
Honeywell YSTD924-(J2A)-00000-FF,W3,TP,TG,SS - NSFS
-
Honeywell XF523-A - / XF523A (NEW IN BOX) -
Honeywell TK-PRS021 - NEW IN STOCK ship by UPS
-
Honeywell 2MLR-AC22 - " 2mlr-dbsf,2mlf-ad4s,2mlf-dc4s,2mlr-ac22 Rack" -
Honeywell 9436610 - MEASUREX NSMP -
Honeywell RT10A-L0N-18C12S0E - RT10A.WLAN.IN.6803.CAM.STD.GMS -
Honeywell 51305896-200 - P:C1 Rev D Nim Modem - FAST SHIP BY Fedex
-
Honeywell TK-FTEB01 - PCL module Brand New Fast Shipping By DHL -
Honeywell 8694500 - Measurex Control Processor Module -
Honeywell DR4500 - Truline and DR4300 Circular Chart Recorder
-
Honeywell EC-7850-A-1122 - / EC7850A1122 (NEW IN BOX)
-
Honeywell XNX-UTAI-RNNNN - NEW Universal transmitter DHL Fast delivery -
Honeywell SPXCDALMFX - plc new One Year Warranty # -
Honeywell TC-RPFM01 - C200 system card brand new Fast Shipping
-
Honeywell 51196655-100 - NSMP
-
Honeywell XCL8010A - / XCL8010A (USED TESTED CLEANED) -
Honeywell 51198801-100 - NEW CPU INTERFACE BOARD UPGRADE KIT UPIU 51306154-100 -
Honeywell 84795 - Sputtering Target 5N Al5Cu 7830x11640x13050
-
Honeywell W7704A-1004 - / W7704A1004 (USED TESTED CLEANED)
-
Honeywell RA890G1229 - FOR FSG UV Protectorelay /PL3
-
Honeywell KFS-599B - 071-01576-0101 UHF Communication Control with Mods (28V)
-
Honeywell WPC2000 - WINTRISS 9683001 WINTRISS CLUTCH/BRAKE CONTROL *NO KEYS*
-
Honeywell C7012E1112 - 1PC C7012E 1112 Burner Detector New In Box Expedited Ship #
-
Honeywell 8C-TCNTA1 - C300 system card brand new Fast Shipping -
Honeywell ANT67A - TCAS Antenna 071-01548-0100 w/ October 2023 Repaired 8130 -
Honeywell CC-PDIS01 - PLC Module Brand New Fast Shipping FedEx or DHL
-
Honeywell R7247C1001 - 2-4SECS NSMP -
Honeywell ALI-80A - Collins Encoding Altimeter - P/N 622-3975-011 - Tested 8130 -Serviceable -
Honeywell 001650-M5T028 - Tata Relay Circuit Board
-
Honeywell 51196886-100 - PC BOARDS (126201 - NEW)
-
Honeywell J-HAM10 - NSNP -
Honeywell TC-IXL062 - 1PCS module New fedex or DHL
-
Honeywell 114M4910-6 - PISTON ASSY PN NS COND 12037 -
Honeywell C7076 - 191002B Sensor Amplifier 220/240v
-
Honeywell 510STR12D21A-B77P - NSNP -
Honeywell 51304511-200 - Module Nim Modem Via FEDEX/DHL
-
Honeywell IC-600 - Integrated Communication Unit RCZ851E 7510700-806 Removed Working
-
Honeywell TC-IAH161 - 1PC NEW REDUNDANT NET INTERFACE one year warranty#XR
-
Honeywell 2001-100-150-126-280-20-100000 - REMAN
-
Honeywell QPP-0001 - FSC QUAD PROCESSOR PACK QPP MODULE CC V1.4 -
Honeywell 30734558-001 - / 30734558001 (USED TESTED CLEANED)
-
Honeywell STD830-E1HS4AS-1-A-ADB-11C-B-21A0-00-0000 - 4500PSI NSNP -
Honeywell 900C75-0560 - NEW HC900 Controller module FedEx DHL Fast delivery -
Honeywell BL870 - Bezel 7014331-921 w/ October 2018 Repaired 8130
-
Honeywell STG77L-E1G000-1-A-CDC-11S-A-20A0-00-0000 - NSMP
-
Honeywell FF-SB14E12K-S2 - / FFSB14E12KS2 (USED TESTED CLEANED)
-
Honeywell 51198685-100 - "Rev. A, 140519-2-LF Power Supply Module 10A 100-240 VAC"
-
Honeywell 942-M96-M - plc new FREE EXPEDITED SHIPPING -
Honeywell TK-IAH161 - 1PC New ANALOG INPUT TKIAH161 Expedited Shipping -
Honeywell C7061F2001 - 1PC UV Flame Detector New In Box #
