Industry standards, such as ISO/IEC 27000 and ISA/IEC 62443, address various aspects of cybersecurity for OT systems. Taken together they provide direction on how to assemble a comprehensive OT cybersecurity program. Each of these standards is designed to address as broad a set of applications as possible, presenting a challenge to those who wish to apply them to a single industry, company, or application.
Profiles can provide a means of tailoring definitions and requirements to a context. However, there must be a methodology for defining such profiles to ensure that essential requirements have been addressed. This will be provided as part of the ISA/IEC 62443 standards.
The State of OT Cybersecurity Standards
There has long been a need for guidance and direction on how to address cybersecurity for OT systems. Although information security is a mature discipline, there are characteristics of OT systems that must also be addressed. This is possible by applying the principles, concepts, and requirements contained in ISO/IEC 27000 and ISA/IEC 62443. While the former focuses on the protection of information, the latter addresses the specific or unique challenges associated with industrial or operations systems. Taken together they provide direction on how to assemble an effective cybersecurity program.
Industry standards are intended to address as broad a set of applications as possible, spanning virtually all industries and technologies. This can be problematic when trying to apply the standards to a single industry, company, or application. While the general concepts are applicable, the language used in standards can often be very broad or even arcane to avoid specific terminology. This forces the reader to translate the broader language to a form that is more suitable for their proposed application. Also, standards are intentionally not prescriptive. While they define what must be accomplished in terms of normative requirements, they typically do not prescribe the means for meeting those requirements.
It is for this reason that standards alone may be insufficient when an asset owner is designing their cybersecurity program. More detail is required in the form of practices and guidance that provide the level of specificity required. Examples of such references include the NIST Cybersecurity Framework (NIST CSF) and various sector-specific guidelines. Unfortunately, such resources may not be fully consistent with the formal requirements contained in the standards.
Simply put, there must be a straightforward means of connecting the “what” contained in normative standards to the “how” provided in guidelines and frameworks. While simply mapping normative requirements to guidelines such has been done with the NIST CSF is useful, it is not sufficient. Such maps are also difficult to maintain because the sources are maintained by different groups, using different processes and timetables.
ARC Advisory Group clients can view the complete report at ARC Client Portal
If you would like to buy this report or obtain information about how to become a client, please Contact Us
Keywords: Cybersecurity, ISO/IEC 27000, ISA/IEC 62443, Profile, Sector, Standard, ARC Advisory Group.