The ISA/IEC 62443 series of standards define requirements and provide guidance for ensuring the cybersecurity of industrial control systems (ICS). The ISA99 committee has added standards and technical reports to the series over the years, working in cooperation with IEC Technical Committee 65 Work Group 10. The result is a series that is almost “feature complete,” in that it addresses the majority of elements required for a comprehensive industrial cybersecurity program. Since the publication of the first standard in the series in 2007 the level of adoption and application in several critical infrastructure sectors has steadily increased. However, with increased adoption comes increased scrutiny, which in turn leads to an accumulation of questions and suggestions about how the standards can be improved. This feedback must not only direct additional improvements to the standards, but also be used to develop practical case studies and associated implementation guidance.
Rather than approaching this on a per-standard basis the authoring committees have agreed that this is the time for a critical review of the series to establish the baseline for the next phase of development. In addition to responding to the feedback received it is also necessary to address topics that may been overlooked or given inadequate attention. While the immediate goal is to improve the standards and have them reflect current technology and practices, the larger objective remains unchanged; to increase the security and resilience of automation systems used in the critical infrastructure.
System and component suppliers have demonstrated their willingness to apply the appropriate standards by pursuing independent certification of their products. Many asset owners have applied the basic principles at the core of the standards to take the first meaningful steps in areas such as asset management and risk assessment.
Topics To Be Addressed
While essential, this is not sufficient. Based on feedback received from system suppliers, asset owners and other stakeholders there are several topics that must be addressed in moving the standards forward, including:
• Consistency across the series with respect to terminology, concepts, and models,
• Positioning the standards for broader adoption across sectors,
• Positioning industrial cybersecurity standards with relation to other complementary standards such as ISO 2700x,
• Developing the relationship between security level and systems maturity level, and
• Reviewing and revising the normative requirements to improve traceability to the general requirements at the foundation of the series.
Smaller groups within the authoring committees are working on each of these areas as they develop new editions of specific standards. At the same time there are efforts focused on how to make the standards more suitable for application across multiple industry sectors.
The result of these efforts will be an updated roadmap that will show projected release dates for specific parts of the 62443 series. The priority is to coordinate the release of those standards in the series that are considered “pillars”, in a manner that will minimize confusion and inconsistent direction. These pillars include:
• 62443-2-1 describes what is required to establish an effective cybersecurity program.
• 62443-2-4 describes the requirements for service providers.
• 62443-3-2 describes an approach to risk assessment.
• 62443-3-3 describes system level technical requirements.
• 62443-4-1 describes the requirements for a secure product development life cycle.
• 62443-4-2 describes component level technical requirements.
Several of these standards are already being revised to develop second editions that include what has been learned since initial publication.
Consideration must also be given to derivative products and services such as training courses, certifications, and conformance specifications. This work is being done in partnership with programs such as the ISA Global Cybersecurity Alliance and the ISA Security Compliance Institute (ISCI).
Successful coordination and execution of all of these activities will result in an improved set of industrial cybersecurity standards that are more comprehensive in their scope, easier to apply by various roles across the solution life cycle, and suitable for implementation across a range of industry sectors. Since security is an ever evolving discipline this will provide a solid foundation for the next stages of development and practice.