The ISA99 committee of the International Society of Automation (ISA) and IEC Technical Committee 65 Working Group 10 have been collaborating on the development of the ISA/IEC 62443 cybersecurity standards for industrial automation and control systems (IACS) cybersecurity for many years. The definition of the scope of the standards in terms of potential consequences has been a basic concept since the first standard was published by ISA in 2003.
While broad applicability has always been the intent, there has been a common perception that they were most appropriate for process industries such as chemicals and refining. Nonetheless, there have been several examples of successful applications in other sectors, such as transportation, building automation, metals and mining, and discrete manufacturing. Meanwhile, some sectors have developed specific standards for their situations. Perhaps the most well-known of these is the NERC CIP series of standards.
One of the challenges associated with sector-specific standards is that many large enterprises have facilities in multiple sectors. For example, if a large chemical processing company has a co-generation plant for power and steam, would they have to base their cybersecurity programs on multiple standards? The reality is that while the nature of the processes may vary across sectors, the products and technologies used for process automation may actually be the same. Distributed control systems (DCS), programmable logic control (PLC), and supervisory control and data acquisitions (SCADA) are designed by their suppliers for broad ranges of applications.
IEC Designates 62443 as a Horizontal Standard
The International Electrotechnical Commission (IEC) recently acknowledged this by officially designating the IEC 62443 standards as “horizontal,” meaning that they are applicable to a wide range of industries. Quoting from the IEC website, “IEC Technical Committee 65 (TC 65) publishes IEC 62443 for operational technology found in industrial and critical infrastructure, including but not restricted to power utilities, water management systems, healthcare, and transport systems. These horizontal standards, also known as base standards, are technology-independent. They can be applied across many technical areas.”
While this may be seen by many as a process or procedural detail, it will have significant implications. The various other IEC technical committees that represent the needs and interests of specific sectors will presumably base their cybersecurity-related efforts on what is in the 62443 standards, focusing on defining how they should be interpreted and applied in a given set of circumstances. This will almost certainly lead to the creation of a set of sector-specific profiles for this purpose. To help in this effort, TC65 WG10 is developing guidance on how to develop such profiles, rather than pursue sector-specific and perhaps inconsistent standards. Guidelines, frameworks, training materials, and other resources can also take on a more general focus, incorporating the needs of many sectors.
This approach will benefit end-users and asset owners who have a presence in or exposure to more than one sector, as with the example cited above. They will have a single source for the fundamental principles and requirements associated with automation systems cybersecurity, allowing them to focus on how these apply in their specific circumstances. Presumably, this will help to reduce some of the current confusion that arises when people ask “What standards apply?” and allow scarce resources to focus on the implementation of a comprehensive cybersecurity program.
Automation system suppliers will also benefit as they will be able to certify their products for a broader range of applications, using a common set of conformance specifications based on 62443. IEC TC65 WG10 and the ISA99 committee will continue to work in close collaboration to advance the 62443 standards for the full range of potential stakeholders. While the standards are mature and proven there remains much to be done to improve them in the face of current demands and constraints in areas such as IIoT, sensor-level security, and the supply chain.
While there are still many details to be addressed, we should applaud this decision as a benefit to the automation cybersecurity community.