Broadly accepted and successful industry standards must evolve and improve in the face of changing circumstances, improvements in technology and the expectations of those who apply them. Although such changes may have implications in areas such as certification and compliance, these can be mitigated through careful changes management. The objective is to make the standards and associated guidance easier to apply in a variety of situations.
There have been several examples of such evolution in recent decades. The familiar ISO 27000 series of information security standards trace back in part to the BS 7799 standard, originally written by the United Kingdom Government's Department of Trade and Industry (DTI) in 1995. ANSI/ISA-95 is an international standard from the International Society of Automation for developing an automated interface between enterprise and control systems. Since its first publication several years ago it has evolved into a five-part standard that has been adopted internationally as IEC 62264.
The situation with respect to industrial automation cybersecurity is no different. The ISA/IEC 62443 series of standards are now widely accepted in this area, referenced by associated guidance ranging from the NIST Cybersecurity Framework to the various sector and industry-specific practices and compliance programs. As acceptance and application have grown, the series has also expanded to address virtually all aspects of product and systems security, from security by design for products to operational processes such as systems integration and patch management.
The ISA99 committee has primary responsibility for the majority of the content in the 62443 series. They have listened to and analyzed comments and feedback from suppliers, integrators and asset owners to determine how the standards must evolve to increase their utility and make them easier to implement. Since individual standards in the series have been developed by different work and task groups over a period of over ten years there are opportunities to clarify the basic messages and requirements and improve their internal consistency. The committee is now developing a plan and set of recommendations to accomplish this. Improvements will be made to specific standards as they reach their respective stability dates (i.e., when updates are considered). Changes to the normative content (i.e., requirements) in the standards are expected to be minimal, focused primarily on consistent coding and identification, removal of redundancies and correction of any inconsistencies.
All proposed improvements will be presented to the committee and other stakeholder groups and are subject to the same review and approval processes used in creating the original standards. These processes are approved and executed by both ISA as an ANSI accredited standards development organization (SDO) and IEC. All ISA standards processes are open and transparent, allowing monitoring or participation by anyone with an interest in the subject. Those requiring more information can direct their inquiries to ISA99chair@isa.org.