ISA/IEC-62443 is the name by which the most widely used set of norms and standards worldwide is known to protect industrial control systems against threats that come from the cyber world.
The long and continuous process of digitalization and global interconnection has ended up reaching the industry, a sector traditionally reluctant to integrate such advances due to its role as critical infrastructure and the particularity of the internal information transmission protocols. Once connected to the global network, industrial systems (known also by the acronym OT, Operational Technology) are also attractive targets for cyberattacks, and the potential consequences go far beyond the account results of the attacked companies, they may have catastrophic effects on the safety of citizens and infrastructure. From all this, it follows the need to create certain security standards for the sector, such as ISA/IEC-62443, which bears the surname Industrial communication networks – Network and system security.
The main objective of this standard is to provide a comprehensive framework to protect industrial control systems (ICS) against cyber threats, including malware, denial of service attacks, unauthorized intrusions and other security risks. This is achieved through the implementation of technical, organizational and risk management security measures.
Its name, perhaps somewhat cryptic for the uninitiated, bears the initials of the driving organizations: the International Society of Automation (ISA) and the International Electrotechnical Commission (IEC). The ISA is an American non-profit society founded in 1945 with the mission of supporting the global automation of the industrial community through the development of standards and the sharing of knowledge. On the other hand, the IEC is a standards organization dedicated to electrotechnology (a field that integrates electromagnetics, electroacoustics, telecommunications, etc.), which has its origins in the first International Electrical Congress in 1881 in Paris. It collaborates closely with other organizations such as the International Organization for Standardization (ISO), the International Telecommunications Union (ITU) and also with the ISA.
General principles and guiding documents
After several precedents since 2002, when the set of ISA99 standards was approved, the IEC approved the IEC-62443 in 2021 as ‘horizontal standards’, which means that these must be used from the base when other standards are being used. developed.
The ISA/IEC-62443 standard establishes a series of fundamental principles for cybersecurity in industrial control systems, one of the most notable is the concept of shared responsibility, under which all parties must be aligned to ensure security, integrity, system reliability. It is also worth mentioning the defense in depth, to provide redundancy, and the correct segmentation of the network through the concepts of zones and conduits.
The system is divided into four layers, each of which has several guiding documents:
1 General
1-1 Models and concepts
1-2 Master glossary of terms and abbreviations.
1-3 System security compliance metrics
1-4 Security life cycle and use cases.
2 Policies and Procedures
2-1 Requirements for an IACS Security management system.
2-2 Operating a control system security program
2-3 Patch Management in the IACS Environment.
2-4 Certification of IACS supplier security policies and practices.
3 System
3-1 Security technologies for IACS
3-2 Security risk assessment and system design
3-3 System Security requirements and security levels
4 Components and Requirements
4-1 Product development requirements
4-2 Technical security requirements for IACS components.
Maturity and security levels
An important part of the standard is the classification of industrial control systems by maturity and security levels based on the CMMI (Capability Maturity Model Integration) framework. Maturity levels could be stratified as follows:
- Maturity level 1, Initial: suppliers carry out product development with ad hoc and poorly documented methods.
- Maturity level 2, Managed: suppliers are capable of carrying out product development following certain established guidelines, with repeatable processes and professionals with proven experience.
- Maturity level 3, Defined: the processes are integrated into the supplier’s organization, with their practice and the corresponding evidence.
- Maturity Level 4, Improving: Product suppliers take into account appropriate process metrics to track process performance and can demonstrate continuous improvement in those areas.
As for the security level, it is also done through the so-called Security Levels, which measure resistance against different types of attacks:
- Security level 0: there are no requirements or protection required.
- Security level 1: protection against unintentional or accidental misuse.
- Security level 2: protection against intentional but simple misuse.
- Security Level 3: Protection against intentional and sophisticated misuse of modest resources.
- Security level 4: protection against intentional and sophisticated misuse, with exclusive means, exclusive knowledge and high motivation.
Certifications
The set of components of an automated industrial system can be certified according to the IEC 62443 standard. Given the inherent complexity of a system of standards as general and as detailed as this one, there are many companies and labs dedicated to test, to inspect, and to support of companies that wish to secure their processes and production according to the ISA/IEC 62443 standard. A recommendation from all organizations dedicated to protection against cyberattacks is to pay these the necessary attention, putting the time and effort that their size and capabilities allow to adapt their production processes to the highest regulatory level.
Summary
The ISA/IEC 62443 standard is a comprehensive cybersecurity framework designed specifically to protect industrial control systems against cyber threats highly used in industry worldwide. It provides detailed guidance on identifying risks, implementing security controls and managing security effectively, helping organizations protect their critical assets and ensure the continuity of their industrial operations.
Bibliographic resources
- https://www.isa.org/standards-and-publications/isa-standards/t-series-of-standards
- https://www.incibe.es/incibe-cert/blog/iec62443-evolucion-isa99
- https://www.iec.ch/blog/understanding-iec-62443
- https://en.wikipedia.org/wiki/IEC_62443
- https://en.wikipedi a.org/wiki/Capability_Maturity_Model_Integration