Understanding the ISA/IEC 62443 Series of Standards

Anna Burrell, an OT cybersecurity consultant with Deloitte, said, “You have to make sure you’re [implementing ISA/IEC 62443] across all of your estate. These cyber incidents don’t care if it’s on a site. It’s going to hit a business and it’s going to either come into your sites and your OT networks and move up, or it’s going to come in the top and move down. So how do you holistically manage all of that risk end to end?”

“ISA/IEC 62443 is a toolset,” explained Burrell. “It’s a standard to give structure and organization in a way that engineers understand. The way you choose to implement those controls works with other policies and standards. It references that it has to work in conjunction with organizational policies and it gives a structure and a common language. It helps people work together to say, ‘How are we going to do this?’”

Burrell said, “You can assure against [62443] because you can check things, but it’s not enforcing how you do things. I think that’s how it’s different and why it applies across industries and sites, projects and organizations. It’s much wider than necessarily some of the more specific [standards].”
 

The owner/system integrator relationship

Businesses that own automation assets must ensure system integrators are delivering systems that meet specified requirements. System integrators must be involved in the process. Part 2-4 of the standard helps integrators understand the asset owners’ needs so they can convey the essence of those needs to asset owners, which benefits the owner/integrator relationship.

Mustard expressed that Part 2-4 is very much about requirements for system integrators and maintenance providers. “It provides a comprehensive list of requirements that an asset owner would want from a vendor, system integrator or maintenance provider. They’re dealing with multiple organizations, which, without the standard, have their own set of requirements that are similar but not identical. If they all use the same standard, it makes their life a lot easier in terms of responding to the requirements,” he said.

Consider BP, for example, Mustard continued. When they have contracts for work in system integration or maintenance, they develop their own set of requirements that are BP-specific. If you go to Shell, they have their own. They build requirements based on what they have done in the past. They may not necessarily incorporate all the requirements that ISA/IEC 62443 has. “When you have a project, there’s a lot of requirements about basic cyber hygiene you need to do, and those get overlooked sometimes in contracts,” he said.

“If you use ISA/IEC 62443-2-4 as the basis, you have everything covered so you’re not going to forget anything. My recommendation is for asset owners to adopt Part 2-4, and also for the system integrators and maintenance providers to read and understand it and be prepared to respond when asset owners put out a request for services in line with that standard,” Mustard explained.

“The integrator delivers solutions that are meeting those requirements,” explained Burrell. “But ultimately, it’s up to the business who owns these systems to make sure the integrators are delivering systems that meet the requirements to the specified level while testing and validating that the services and the maintenance contracts have been done to meet the requirements and manage that risk across the business.”

“The integrators must deliver solutions to meet the requirements, to make sure that the technology can be implemented securely, or the components are certified and meeting those objectives,” Burrell continued. “But as an asset owner, you have to put that technology into your organization in the right way, make sure it’s meeting your need, and ensure the risk is being managed so that these systems are operating correctly while keeping yourselves safe and production working.”
 

Final thoughts

Training people on ISA/IEC 62443 is an ongoing task. “We find that there’s a shortage of talented people in this space,” said Andre Ristaino, managing director at ISA. “We’ve been funding the development of training classes. For product suppliers, there’s a class called ‘IC47.’ It covers the standards associated with product development. It’s a three- or four-day class, and it also has modules that address requirements for product assessors. We saw that there was a gap with the product assessors at our certification bodies. We’re trying to fill that void as well, and we expect to do additional training in the future.”

“The ISA/IEC 62443 series of standards is out there and information about what needs to be done by asset owners, system integrators and product suppliers is all in there,” said Mustard. “I think people need to follow it. I think product suppliers and system integrators need to do it regardless of whether asset owners ask them to do it because it’s the right thing to do. I think asset owners need to understand the totality of what they need to do, and it’s in there. Certification programs will help provide the verification that it’s being done.”

“Things have improved a lot,” continued Mustard. “A few years ago, we would be talking about 62443 and half the audience wouldn’t have known what it was. It’s encouraging to see so many people who already understand it, and where people are actually applying it and doing real practical things with it. I’m encouraged by that, but we still have a long way to go.”