The ISA99 committee and IEC TC65 WG10 have been working together for some time to develop a complete set of standards and specifications on the subject of industrial automation and control systems cybersecurity. Such work can be very arcane – even tedious – taking years to produce a meaningful result. This particularly true for a complex subject as cybersecurity. Although the full development life cycle can be long, there are important milestones along the way that represent major accomplishments. The development of the ISA and IEC 62443 standards have reached such a milestone.
In recent months the committee has delivered complete drafts of several standards in the series that address essential elements of an effective cybersecurity response. These have long been anticipated by the community, and their eventual publication will significantly increase the value of the 62443 series.
Three Crucial Aspects of Cybersecurity for ICS Covered Under 62443
Perhaps most anticipated has been the 62443-3-2 standard (Security Risk Assessment and System Design). The segmentation of a complex control system and the assignment of appropriate security levels is a critical, but complex step in the process of securing industrial systems. This standard was recently approved in a committee ballot and will soon be balloted by the IEC.
The 62443-4-1 and 62443-4-2 standards are also important and have been highly anticipated by asset owners and suppliers. The first defines clear requirements for product development, including the use of a secure development life cycle. The 62443-4-2 standard states detailed technical security requirements for system components, building on and complementing the system level requirements defined in the 62443-3-3 standard. Both these standards are also essentially complete and are proceeding through the approval process.
Completion and publication of these document represents a significant advance in the development and promulgation of standards and practices for industrial control systems security.