ISA/IEC-62443 is the name given to the set of norms and standards most widely used worldwide to protect industrial control systems against threats from the cyber world.
Digitization and increasing global interconnection have finally caught up with industry, a sector that has historically shown resistance to adopting these advances due to its role as critical infrastructure and the specificity of its internal communication protocols. Once connected to the global network, industrial systems (known also by the acronym OT, Operational Technology) are also attractive targets for cyber-attacks, and the consequences of such attacks go far beyond the bottom line of the companies attacked but can have catastrophic effects on the security of citizens and infrastructures. From all this follows the need to create certain security standards for the sector, such as ISA/IEC-62443, which bears the surname Industrial communication networks – Network and system security.
The main objective of the standard is to provide a comprehensive framework for protecting industrial control systems against cyber threats, including malware, denial of service attacks, unauthorized intrusions and other security risks. This is achieved by implementing technical, organizational and risk management security measures.
Its name, perhaps somewhat cryptic for the uninitiated, bears the acronyms of the driving organizations behind it: the International Society of Automation (ISA) and the International Electrotechnical Commission (IEC). The ISA is a US non-profit society founded in 1945 with the mission to support the global automation of the industrial community through the development of standards and the sharing of knowledge. On the other hand, the IEC is a standards organization dedicated to electrotechnology (a field that integrates electromagnetics, electroacoustics, telecommunications, etc.), which has its origins in the first International Electrical Congress in 1881 in Paris. It collaborates closely with other organizations such as the International Organization for Standardization (ISO), the International Telecommunication Union (ITU) and also with the ISA.
General principles and guiding documents
After several precedents since 2002, when the ISA99 set of standards was approved, IEC approved IEC-62443 in 2021 as ‘horizontal standards’, which means that these standards are to be used from the ground up when other standards are being developed.
The ISA/IEC-62443 standard defines key principles for cybersecurity in industrial control systems, highlighting the concept of shared responsibility. According to this approach, all parties involved must work in a coordinated manner to ensure the security, integrity and reliability of the systems. Also worth mentioning are defense in depth to provide redundancy, and the correct segmentation of the network through the concepts of zones and ducts.
The system is divided into four layers, each of which has several governing documents:
1 General
1-1 Models and concepts
1-2 Master glossary of terms and abbreviations.
1-3 System security compliance metrics
1-4 Security life cycle and use cases.
2 Policies and Procedures
2-1 Requirements for an IACS Security management system.
2-2 Operating a control system security program
2-3 Patch Management in the IACS Environment.
2-4 Certification of IACS supplier security policies and practices.
3 System
3-1 Security technologies for IACS
3-2 Security risk assessment and system design
3-3 System Security requirements and security levels
4 Components and Requirements
4-1 Product development requirements
4-2 Technical security requirements for IACS components.
Maturity and security levels
A key part of the standard is the classification of industrial control systems according to maturity and safety levels, based on the CMMI (Capability Maturity Integrated Model) framework. The maturity levels could be stratified as determined below:
- Maturity level 1, Initial: suppliers carry out product development with ad hoc and poorly documented methods
- Maturity level 2, Managed: suppliers are capable of carrying out product development following certain established guidelines, with repeatable processes and professionals with proven experience.
- Maturity level 3, Defined: the processes are integrated into the supplier’s organization, with their practice and the corresponding evidence.
- Maturity Level 4, Improving: product suppliers consider appropriate process metrics to track process performance and can demonstrate continuous improvement in those areas.
As for the level of security, this is also done through the so-called Security Levels, which measure the resistance against different kinds of attacks:
- Security level 0: there are no requirements or protection required.
- Security level 1: protection against unintentional or accidental misuse.
- Security level 2: protection against intentional but simple misuse.
- Security Level 3: protection against intentional and sophisticated misuse of modest resources.
- Security level 4: protection against intentional and sophisticated misuse, with exclusive means, exclusive knowledge and high motivation.
Certifications
The components of an automated industrial system can be certified according to IEC 62443. Due to the complexity of such a comprehensive and detailed regulatory framework, numerous companies and laboratories specialize in testing, inspection and consulting for organizations seeking to ensure their processes and production in accordance with ISA/IEC 62443. A recommendation of all organizations dedicated to protection against cyber-attacks is to give them the necessary attention, putting in the time and effort that their size and capabilities allow to bring their production processes up to the highest regulatory level.
Summary
ISA/IEC 62443 is a set of international standards designed to establish guidelines and best practices in the cybersecurity of Industrial Control Systems (ICS), which is highly used worldwide.
Its main objective is to provide detailed guidance on identifying risks, implementing security controls and managing security effectively, with the aim of ensuring the safety, integrity and reliability of industrial operations.
InprOTech and the ISA/IEC 62443 standard
At InprOTech we understand the critical relevance of this standard for industrial cybersecurity. Therefore, we apply it in our security audit projects for industrial control systems, addressing the specific needs of companies in the sector and facing the challenges of ensuring the integrity, confidentiality and availability in industrial environments.
Do not hesitate to contact us here if you are interested in this service, our team will be excited to help you!