Committee Moves Forward in the Development of 62443 Standards
The ISA99 committee of the International Society of Automation was formed in 2002 to create and maintain a set of standards on automation systems security. Since then, members of the committee have authored six normative standards and several technical reports and adopted one standard developed by IEC Technical Committee 65. Collectively these documents are now the most comprehensive source of guidance on the subject. The committee includes a series of smaller working groups, each focused on a specific theme or topic. These groups work almost exclusively in web meetings and conference calls, a practice that has served them well during the current pandemic. In recent years, the committee has hosted at least one face-to-face plenary committee meeting each year to review the current status and plans for future work. Of course, this was not possible this year. In lieu of this, the committee is conducting a series of plenary web meetings for this purpose.
The first of these occurred on October 5, attracting over 110 attendees. The agenda for this meeting included three major topics:
- Committee overview, status, and direction – The focus was on committee structure, workgroups assignments, and specific areas of emphasis.
- Overview of work products – Described the status of each of the components of the 62443 series, with emphasis on those still under development or revision.
- Assessment of 62443 series consistency – A summary of the status of the effort to assess the consistency of the 62443 series and identify opportunities for realignment of content.
While the first two topics were primarily informative in nature, the third included a request for feedback on some of the potential changes proposed by a task group (WG5TG3) chartered to review the series for consistency and completeness. The principal driver for change is to make the standards easier to apply by clarifying the responsibilities of several principal roles across a well-defined life cycle.
These proposals have not yet been formally submitted to committee leaders and there is some sensitivity to potential impact if there are implemented without adequate justification and transition planning. With the 62443 standards now in use in several industry sectors the committee understands that the benefits of any proposed improvements must outweigh any disruption that may be caused. Any recommended changes will first be reviewed by the committee leadership and then – as necessary – submitted for approval to the voting members of the committee. This process includes detailed review by and consultation with IEC Technical Committee 65 as the resulting standards are meant to be offered by both ISA and IEC.
Developing a Complete Security Response
Specifically, the foundational requirements that have long served as the basis for derivation of more detailed technical requirements will be expanded and renamed to address both technical and process aspects of a complete security response. This change will include detailed guidance on how to make this transition in documents derived from 62443. The committee is also considering changes to the organization of documents in the series, as well as the possible realignment of some content.
While the implications of such discussions may not be clear to those with a stake in the application of ISA/IEC 62443 at this time, the committee leaders committed to fully explaining their rationale and providing additional guidance for any proposed improvements. This will be done during subsequent plenary meetings and through the use of supplementary guidance materials.
The second plenary committee meeting took place on October 19th, with over 80 people attending. This meeting took the form of an open discussion of several specific topics:
- Clarifying the intended scope of the 62443 standards, allowing for applications in a broad range of industries or sectors
- How to improve the quality of information shared with stakeholders on the work of the committee and the status of 62443
The committee has long described the focus of the standards as being on “Industrial Automation and Control Systems (IACS).” Inclusion of the word “Industrial” in this term has been seen by some as a barrier to applications in sectors that may not consider themselves to be consistent with this characterization. The consensus of those attending appeared to be that this could be addressed by including a clearer definition of intended scope in the initial standard (i.e., 62443-1-1), as well as in related communications and training materials.
The committee will hold additional plenary meetings in the coming weeks to collect feedback from its members and other stakeholders. This information will be used to guide further development, including changes to improves series consistency. These meetings are open to all. More information is available by sending an inquiry to ISA99Chair@gmail.com.