The ISA99 committee and IEC TC65 WG10 have developed and approved a robust series of international standards that provide normative requirements for securing industrial automation and control systems (IACS). The International Society for Automation (ISA) publishes these as ANSI/ISA-62443 standards, while the identical IEC versions have the designation IEC 62443.
In recent months the committee has added two very important standards to the 62443 series. ISA has approved both, and IEC approval is expected to follow.
62443 Standards Enhances Life Cycle of IACS
Collectively, the 62443 standards provide requirements and guidance for all participants and stakeholders in the life cycle of IACS, including component and system suppliers, system integrators, asset owners and service providers. This life cycle begins with the development of single components, such as an embedded controller, or a group of components working together as a system or subsystem. A system integrator assembles these products into an automation solution, which is then installed at a particular site and becomes part of the IACS.
The 62443-4-1 standard (Product Security Development Life-cycle Requirements) describes product development requirements related to cybersecurity for products intended for use in the industrial automation and control systems environment and provides guidance on how to meet the requirements described for each element. Suppliers are required to apply these requirements to new and existing processes for developing, maintaining and retiring hardware, software or firmware for new or existing products.
The companion 62443-4-2 standard (Technical Security Requirements for IACS Components) is intended to be used by asset owners, system integrators, product suppliers, and, where appropriate, compliance authorities. It provides the cybersecurity technical requirements for the components that make up an IACS, specifically the embedded devices, network components, host components and software applications. The intent is to specify security capabilities that enable a component to mitigate threats for a given security level without the assistance of compensating countermeasures.
The 62443 series of standards now define requirements for achieving the goal of “secure by design.”
Taken together, these standards represent a major enhancement to the 62443 standards, addressing what is expected and required for securable components and system, including the processes used in their development. They address the need for “secure by design” as an essential element of an effective long-term response to the need for secure industrial systems. As compliance, certification, and even regulatory bodies adopt and endorse these standards, we expect that newer products will include improved security in their design.