Professional Documents
Culture Documents
ISAGCA Security Lifecycles Whitepaper FINAL
ISAGCA Security Lifecycles Whitepaper FINAL
ISAGCA Security Lifecycles Whitepaper FINAL
CYBERSECURITY
ALLIANCE
October 2020
www.isa.org/ISAGCA
WWW.ISA.ORG/ISAGCA 1
ZCR 3 - Partition the SUC
into Zones and Conduits
2 WWW.ISA.ORG/ISAGCA
Table of Contents
Executive Summary..................................................................2
Introduction..............................................................................2
Table of Contents......................................................................3
Table of Figures.........................................................................3
IEC/ISA 62443 Series.................................................................3
Summary.............................................................................3
Hierarchical View................................................................5
Lifecycle View......................................................................6
Key Concepts.............................................................................7
Principal Roles....................................................................7
IACS and Automation Solution..........................................8
Security Program................................................................8
Introduction
Security Measure................................................................9
This document provides an overview of the security
Security Level................................................................... 10
lifecycles that are described in the ISA/IEC 62443 Series
Maturity Level.................................................................. 11
of standards and technical reports, which specifies
the requirements for the Security of Industrial IACS Security Lifecycles......................................................... 13
Automation and Control System (IACS). There are Product Security Lifecycle............................................... 13
two security lifecycles that are included in the ISA/IEC Automation Solution Security Lifecycle......................... 13
62443 Series: the Product Security Lifecycle and the Integrated Safety/Security Lifecycle............................... 16
Automation Solution Security Lifecycle. IACS Assessment and Certification....................................... 15
Security Program Rating................................................. 15
Note: The Product Security Lifecycle is based on ISA/IEC- ISASecure® Certification................................................ 15
62443-4-1:2018 [8]. The Automation Solution Security Other IACS Assessment Options.................................... 17
Lifecycle is based on a ISA99 Committee draft of ISA/IEC- Published Standards and Technical Reports....................... 18
62443-2-2 [23] and is subject to change. References.............................................................................. 19
WWW.ISA.ORG/ISAGCA 3
• Part 1-1: Terminology, concepts and to define and implement an effective
models introduces the terminology, IACS Security Program. The intended
concepts and models used throughout audience includes asset owners who
the series. The intended audience have responsibility for the design and
includes anyone wishing to become implementation of such a program.
familiar with the fundamental concepts • Part 2-2: Security Program Ratings
that form the basis for the series. provides a methodology for evaluating
• Part 1-2: Master glossary of terms the level of protection provided by an
and definitions is a list of terms and operational IACS against the requirements
abbreviations used throughout the in the ISA/IEC 62443 Series of standards.
series. The master glossary will likely be • Part 2-3: Patch management in the IACS
delivered in an online format. environment provides guidance on patch
• Part 1-3: System security management for IACS. The intended audience
conformance metrics describes a includes anyone who has responsibility
methodology to develop quantitative for the design and implementation of a
metrics derived from the process and patch management program.
technical requirements in the standards. • Part 2-4: Security Program
• Part 1-4: IACS security lifecycle and requirements for IACS service
use cases provides a more detailed providers specifies requirements for
description of the underlying lifecycle for IACS service providers such as system
IACS security, as well as several use cases integrators or maintenance providers.
that illustrate various applications. • Part 2-5: Implementation guidance
for IACS asset owners provides
2. Policies and Procedures – Documents guidance on what is required to operate
in this group focus on the policies and an effective IACS Security Program. The
procedures associated with IACS security. intended audience includes asset owners
• Part 2-1: Establishing an IACS security who have responsibility for the operation
program describes what is required of such a program.
4 WWW.ISA.ORG/ISAGCA
3. System Requirements – The documents in Part Type Title Date
IACS. The output of this standard is a 2-5 TR Implementation guidance for IACS asset owners
WWW.ISA.ORG/ISAGCA 5
Part 2-3
Patch management in
the IACS environment
Legend
Derived Requirements
Direct References
All Parts shall reference Part 1-1 Part 2-4
Security program
requirements for IACS
service providers
Part 4-1
Product security
development lifecycle
requirements
• Part 2-2 refers to the other standards in establish and sustain a Security Lifecycle,
the 62443 series to create an assessment which is used to create Control System and
methodology for an IACS in operation. Component products.
• Part 2-3 sets the requirements for the • Part 4-2 sets the technical requirements for
patch management process, which is used IACS Components based on capability security
to reduce cybersecurity vulnerabilities in the levels.
Automation Solution.
• Part 2-4 sets the requirements for Service Lifecycle View
Providers that are involved in support of the Another view of the ISA/IEC 62443 Series is the
IACS. Integration Service Providers provide lifecycle view. There are two independent lifecycles
integration services for the Automation described in the series: the Product Security
Solution, and Maintenance Service Providers Lifecycle and the Automation Solution Security
provide maintenance services for the IACS. Lifecycle. The Automation Solution Security
• Part 3-2 sets the requirements for Lifecycle is further divided into an Integration
the partitioning of the System Under Phase and an Operation and Maintenance Phase.
Consideration into Zones and Conduits and Figure 5 shows the relationship between the
their Risk Assessment. The risk assessment Parts of the ISA/IEC 62443 Series and the various
defines the Target Security Level (SL-T) which lifecycles and phases.
is used to procure Systems and Components
that have the capabilities defined in Part 3-3 and Note that Part 3-3 spans the Product Security
Part 4-2 respectively. Part 3-2 also requires a Lifecycle and the Automation Solution Security
Cybersecurity Requirements Specification, which Lifecycle. Part 3-3 describes the technical
is used to create the Automation Solution. requirements for IACS systems and is used by
• Part 3-3 sets the technical requirements for the Product Supplier to develop systems, the
IACS Systems based on capability security levels. Integration Service Provider to integrate systems
• Part 4-1 is used by the Product Supplier to into an Automation Solution, and the Asset
6 WWW.ISA.ORG/ISAGCA
Automation Solution Security Lifecycle
Integration Operation and Maintenance
Product Security Lifecycle
Specify Design Implement Verify & Operate Maintain Decommission
Validate
Owner to assess the technical security measures Embedded Devices, Host Devices, Network
of the IACS throughout the Automation Solution Devices, and/or Software Applications.
Security Lifecycle.
It is important to understand that a role is not
necessarily an organization. An organization can
Key Concepts have multiple roles, and the responsibilities for
Principal Roles a particular role can be split among multiple
To understand how to use the ISA/IEC 62443 organizations. For example, an Asset Owner
Series, it is first necessary to understand the organization can have the Operations role and all
relationship between Roles, Control System, or part of the Maintenance Service Provider role.
Automation Solution, and IACS. Figure 6 visualizes It is also not uncommon that a Product Supplier
this relationship. organization has the Product Supplier role, the Safety
Integration Service Provider role and portions of functions
Under Control.
Maintenance maintains Automation Solution
• Maintenance Service Provider provides Service Provider
Essential Functions
support activities for an Automation Solution. commissions
and validates Control Safety Complementary
Integration
• Integration Service Provider provides Service Provider designs and
functions functions functions
Achieved (SL-A)
the Maintenance Service Provider role. Finally, SL2
as safetyProtection
functions against intentional violation
and control functions
using simple means with low resources,
while all or part of the responsibilities in a role and other supporting
generic functions
skills, and low motivation such as
can be delegated to other organizations, the historization and engineering. The Automation
Protection against casual or coincidental
accountability for the IACS must remain with the SL1 Solution violation
is portioned into Zones and Conduits
Asset Owner organization. as part of the risk assessment process.
• The Industrial Automation and Control
IACS and Automation Solution System (IACS) includes the Automation
The right-hand side of Figure 6 shows the types Solution and the organizational security
of systems that are identified in the ISA/IEC measures for its operation and maintenance.
62443 Series:
• IACS Components are provided by a Product Figure 7 shows a visualization of the taxonomy
Inherent
Supplier and include the following types: for the term Industrial Automation and Control
Technical
• Embedded device – special purpose
Compensating device System (IACS).
designed to directly monitor or control an
industrial process Associated Security Program
Organizational
Security Measure
• Host device – general purpose
Compensating device Part 2-1 specifies Asset Owner Security Program
running an operating system capable requirements for the IACS. A Security Program
Physical
of hosting one or more software consists of the implementation and maintenance
applications, data stores or functions from of personnel, policy, & procedural and technology-
one or more suppliers based capabilities that reduce the cybersecurity
• Network device – device that facilitates data risk of an IACS.
flow between devices, or restricts the data
flow, but may not directly interact with a In the context of Part 2-1, the Asset Owner is
control process also the Operator of the IACS and the Equipment
• Software application – one or more software Under Control (the process equipment or
Processes are improved over time using
programs and their dependencies ML4 that are manufacturing
Improving equipment being controlled by
metrics for performance and effectiveness
used to interface with the process or the the IACS). The Security Program covers the entire
Processes are documented, executed,
Defined/Practiced
control system itself ML3 lifecycle of the andIACS. Because the lifetime of an
repeatable
Note that a single device may include
Maturity Level
IACS can Processes
be longer than the product supplier
are documented and describe how to
ML2 Managed
functions for more than one component type. support timeframe, the and
manage the delivery standard recognizes
performance of the activity
• IACS System (or Control System) consists of that not all requirements can be met
Processes are performed in an ad-hoc or by legacy
ML1
an integrated set of Embedded Devices (e.g.Initial systems, so compensating
undocumented manner security measures may
PLC), Host Devices, Network Devices, and be needed to secure the IACS.
Software Applications that is provided by one
or more Product Suppliers. Although the Asset Owner is ultimately
• Automation Solution is the realization of accountable for the secure operation of the IACS,
one or more Control Systems at a particular implementation of security capabilities requires the
facility. It includes essential functions such support of product suppliers and service providers.
Zones
Conduits
Figure 7 – IACS Taxonomy Systems
Embedded Devices
Host Devices
Components
Network Devices
Zones
Software Applications
Embedded Devices
System under
Automation Solution Host Devices
Consideration Components
Network Devices
Industrial Automation Software Applications
and Control System Conduits Components Network Devices
(IACS)
Policies
Organizational Security Measures
Processes
8 WWW.ISA.ORG/ISAGCA
The Asset Owner must include requirements for
ZCR 1 - Identify the
security throughout the supply chain to meet the System Under Consideration (SUC)
overall Security Program requirements.
Risk Assessment
No ZCR 4 - Initial risk
Part 3-2 describes the requirements for exceeds tolerable
addressing the cybersecurity risks in an IACS,
including the use of Zones and Conduits, and
Security Levels. While Part 3-2 includes the Yes
WWW.ISA.ORG/ISAGCA 9
10 WWW.ISA.ORG/ISAGCA
natively without additional Processes are improved over time using
ML4 Improving
compensating security metrics for performance and effectiveness
actual levels of security for a particular technical security requirements for a specified
Components
Host Devices
WWW.ISA.ORG/ISAGCA 11
1. Development process 1. Secure design principles
2. Identification of responsibilities 2. Defense in depth design
3. Identification of applicability 3. Security design review
4. Security expertise 4. Secure design best practices
5. Process scoping
6. File integrity Secure implementation (SI)
7. Development environment security The processes specified in the secure
8. Controls for private keys implementation practice are intended to
9. Security requirements for externally ensure that product functionality and security
provided components measures are implemented securely.
10. Custom developed components from 3rd
party suppliers Secure implementation practice requirements
11. Assessing and addressing security-related include the following processes:
issues 1. Security implementation review
12. Process verification 2. Secure coding standards
13. Continuous improvement
Security verification & validation testing
Specification of security requirements (SVV)
(SR) The processes specified in the security
The processes in the specification of security verification & validation testing practice
requirements practice are intended to define are intended to ensure that the security
and document the security capabilities of the requirements have been met for the product,
product and the expected product security and security of the product is maintained
context. The technical security capabilities when it is used in its security context and
of the product are defined in Part 3-3 for configured according to the defense in depth
Systems and Part 4-2 for Components. strategy.
The product security context describes the
expectations and assumptions about the Security verification & validation testing practice
security environment where the product is requirements include the following processes:
used, including threats, risks, and additional 1. Security requirements testing
compensating security measures. 2. Threat mitigation testing
3. Vulnerability testing
Specification of security requirements practice 4. Penetration testing
requirements include the following processes: 5. Independence of testers
1. Product security context
2. Threat model Management of security-related issues (DM)
3. Product security requirements The processes specified in the management
4. Product security requirements content of security-related issues practice are used for
5. Security requirements review handling security-related issues of a product
that has been configured to employ its
Secure by design (SD) defense in depth strategy within the product
The processes in the secure by design practice security context.
are intended to ensure that the appropriate
security considerations have been included Management of security-related issues practice
throughout the specification and design requirements include the following processes:
phases of product development. The secure 1. Receiving notifications of security-related issues
by design practice is based on the defense in 2. Reviewing security-related issues
depth strategy, which provides multiple layers 3. Assessing security-related issues
of security to thwart security threats. 4. Addressing security-related issues
5. Disclosing security-related issues
Secure by design practice requirements include 6. Periodic review of security defect
the following processes: management practice
12 WWW.ISA.ORG/ISAGCA
ZCR 7 - Asset owner approval
AO PS SI SM AO PS SI SM AO PS SI SM AO PS SI SM AO PS SI SM AO PS SI SM AO PS SI SM
AR C A C R A C R R AR C R R AR A R R AC C R
Asset Owner System Integrator Integration Service Provider Integration Service Provider Asset Owner Maintenance Service Provider Asset Owner
• Perform initial • Design detailed • Implement technical • Verify technical security • Operate IACS and • Perform organizational • Approve decommission-
cybersecurity risk security measures measures security measures for
cybersecurity risk assessment for each equipment under maintenance ing management of
assessment zone/conduit • Implement product Maintenance Service Provider control change request
security updates • Validate organizational • Monitor threats and
• Partition system into • Design technical security measures • Perform organizational security vulnerabilities Maintenance Service Provider
security measures for Maintenance Service Provider
security zones and security measures for • Implement management • Purge sensitive data
each zone/conduit • Develop organizational Asset Owner
conduits security measures for operations of change procedures • Decommission IACS
• Design guidelines for • Validate organizational assests
maintenance security measures for • Update organizational
• Specify target security organizational security • Periodically re-assess and technical security
level Asset Owner operations organizational and
measures measures
• Develop organizational • Approve handover of technical security
Asset Owner security measures for IACS to operations Asset Owner
measures
• Approve cybersecurity operations • Approve management of
• Change credentials
requirements before IACS is put into • Trigger maintenance change request
specification Product Supplier
• Provide product security operation request Product Supplier
Product Supplier updates Product Supplier • Provide product security
• Consult on security • Consult on security • Consult on security updates
capabilities of IACS capabilities of IACS capabilities of IACS
products • Provide product security
products products support services
2-1 2-4 3-2 2-1 2-4 3-2 3-3 2-1 3-3 2-1 2-4 3-3 2-1 2-1 2-2 2-3 2-4 2-1
AO Asset Owner PS Product Supplier SI Integration Service Supplier SM Maintenance Service Provider A Accountable R Responsible C Contributor
WWW.ISA.ORG/ISAGCA 13
• A risk assessment methodology that is are associated with the selected technical
based on the organization’s risk assessment security measures
methodology and includes the consequences • additional compensating technical and
for an IACS failure or compromise organizational security measures
• The minimum set of technical and organizational The key deliverable from the Design Phase is the
security measures for IACS across the organization Cybersecurity Requirements Specification, which
• The use of IACS-specific standards and must be approved by the Asset Owner before the
practices such as ISA/IEC 62443 Implementation Phase can start.
• The use of IACS-specific certifications such as
ISASecure® Roles and Responsibilities:
IACS-specific Security Program policies for • Asset Owner is accountable
the organization are typically documented • Integration Service Provider is responsible
in an organization’s standards and practices, • Product Supplier is consulted
project-specific specifications, and contractual
agreements with product suppliers and service Key activities:
providers. • Perform detailed cybersecurity risk
assessment for each Zone and Conduit
Specification • Design technical security measures based on
The Specification Phase of the Automation the Target Security Level for each Zone and
Solution Security Lifecycle is documented in Part Conduit
3-2 Security risk assessment for system design [6] • Design guidelines for the development of
clauses ZCR 1 through 3 as shown in Figure 8. Organizational Security Measures
This phase of the lifecycle includes identifying • Approval of the Cybersecurity Requirements
the System Under Consideration, performing an Specification
initial high-level risk assessment, and partitioning
the System into security zones and conduits. The Implementation
result of this process is the Target Security Levels The Implementation Phase of the Automation
for each Zone and Conduit in the System Under Solution Security Lifecycle is when the technical
Consideration. security measures that are specified in the
Cybersecurity Requirements Specification
Roles and Responsibilities: are implemented in the Automation Solution.
• Asset Owner is accountable and responsible In this Phase, the organizational security
• Integration Service Provider is consulted measures required for the Operations Phase
and the Maintenance Phase are developed so
Key activities:
that they are available during the Verification &
• Perform initial cybersecurity risk assessment
Validation Phase.
• Partition the System Under Consideration into
Zones and Conduits
It is important that the security of the Automation
• Specify the Target Security Level used for the
Solution is maintained during the Implementation
Design phase
Phase by the Integration Service Provider. This
includes, but is not limited to, maintaining
Design
physical and logic access controls, installing
The Design Phase of the Automation Solution
product security updates in a timely manner, data
Security Lifecycle is documented in Part 3-2 Security
confidentiality, and protecting against malware.
risk assessment for system design [6] clauses ZCR 4
Refer to Part 2-4 Security program requirements
through 7 as shown in Figure 8. This phase of the
for IACS service providers [4] for additional security
lifecycle is the detailed design of the System Under
requirements.
Consideration and includes for each Zone and
Conduit: Roles and responsibilities:
• the technical security measures based on the • Asset Owner is accountable
Security Level from Part 3-3 System security • Integration Service Provider is responsible for
requirements and Security Levels [7] technical security measures
• the organizational security measures that • Maintenance Service Providers are
14 WWW.ISA.ORG/ISAGCA
responsible for organizational security • Asset Owner is responsible for organizational
measures for maintenance security measures for operations
• Asset Owner is responsible for organizational
security measures for operations Key activities:
• Verify technical security measures
Key activities: • Validate organizational security measures for
• Implement technical security measures based operations
on Target Security Level • Validate organizational security measures for
• Implement product security updates during maintenance
the integration phase
• Develop organizational security measures for Handover to Operations
maintenance phase • Key activity at the end of the V&V phase
• Develop organizational security measures for • Formal acceptance of the IACS by the Asset
operations phase Owner
• Must change credentials (accounts, passwords,
Verification & Validation keys) before putting the IACS into operation
The Verification & Validation Phase of the
Automation Solution Lifecycle is when the Operation
Automation Solution is tested to ensure that the The Operation Phase of the Automation Solution
technical and organizational security measures Lifecycle is when the Automation Solution is
meet the security requirements specified in the placed into service and all of the organizational
Cybersecurity Requirements Specification. In some and technical security measures are executed.
industry sectors these tests are called Factory The organizational security measures, technical
Acceptance Tests (FAT) or Site Acceptance Tests (SAT). security measures, and associated IACS risk
Examples of security-related tests in this phase assessment must be periodically reviewed and
include vulnerability scans, penetration tests, updated.
intrusion detection tests and access control tests.
Part 2-2 can be used to determine the Security Roles and Responsibilities:
Program Rating – Capability (SPR-C) before the • Asset Owner is accountable and responsible
Automation Solution is put into operation. for Operations
The last step in the Verification & Validation Phase is Key activities:
the formal handover of the Automation Solution to • Operate the IACS and the Equipment Under
the Asset Owner. Immediately after the handover, Control
the Asset Owner is responsible for preparing the • Perform organizational security measures for
Automation Solution for the Operation Phase. operations, such as incident response and
Particular attention should be paid to changing the recovery
access controls (e.g., passwords, encryption keys) • Periodically re-assess the organizational and
implemented by the Integration Service Provider technical security measures
or Product Supplier before placing the Automation • Trigger maintenance requests
Solution in service. This may be the last time that
certain accounts/credentials for some essential Maintenance
functions can be changed before the Automation The Maintenance Phase of the Automation
Solution is put in operation. Solution Lifecycle is triggered by Operations
requests or the monitoring of security threats
Roles and responsibilities: and security vulnerabilities. Addressing security
• Asset Owner is accountable threats or vulnerabilities may require changes to
• Integration Service Provider is responsible for the organizational or technical security measures
implementing technical security measures of the IACS and must be implemented using a
• Maintenance Service Providers are Management of Change process that includes
responsible for organizational security risk assessment.
measures for maintenance
WWW.ISA.ORG/ISAGCA 15
The security requirements for product updates to Key activities:
address security vulnerabilities is specified in Part • Purge sensitive data
2-3: Patch management in the IACS environment. • Decommission the IACS assets
The patch management process involves the
Asset Owner, Product Supplier and Maintenance Integrated Safety/Security Lifecycle
Service Provider roles. There is a joint working group between the
ISA84 and ISA99 Committees that is working
Roles and Responsibilities: together to align the Safety Lifecycle described in
• Asset Owner is accountable IEC 61511 Functional safety - Safety instrumented
• Maintenance Service Provider responsible systems for the process industry sector [13] and
for organizational security measures for the security lifecycle described in various parts
maintenance of ISA/IEC 62443 Security for Industrial Automation
• Product supplier is responsible for product and Control Systems. The result of this work
support and security updates will be documented in a future edition of ISA-
TR84.00.09-2017, Cybersecurity Related to
Key activities: Functional Safety Lifecycle [14].
• Perform organizational security measures for
maintenance
• Monitor threats and security vulnerabilities IACS Assessment and
• Implement Management of Change procedures Certification
including reviewing risk assessments Security Program Rating
• Update organizational and technical security ISA/IEC-62443-2-2 – Security for Industrial
measures Automation and Control Systems – Part 2-2:
IACS security program ratings (draft) specifies a
Decommissioning methodology for the evaluation of security for
The Decommissioning Phase of the Automation each Zone in an IACS Automation Solution. Figure
Solution Lifecycle can be triggered by a 14 shows the taxonomy for the Security Program
maintenance activity (e.g. replacing a hard drive) Rating, which a combination of the Security Level
or by a major upgrade to the IACS. In either case, of technical security measures, and the Maturity
the decommissioning must be done in such a way Level of organizational security measures.
that the Asset Owner’s on-going operations are
not compromised. A key activity in this phase is Similar to Security Levels, there are three
the destruction or purging of sensitive data. types of Security Program Ratings: Capability
Roles and Responsibilities: (SPR-C), Target (SPR-T), and Achieved (SPR-A).
• Asset Owner approves decommissioning Capability and Target SPRs are used during
Management of Change requests the Specification, Design, Implementation, and
• Maintenance Service Provider decommissions Verification & Validation phases of the Automation
the assets Solution Security Lifecycle. Achieved SPR can
only be determined during the Operation and
Maintenance phases of the Lifecycle.
SL4
The Security Program Ratings for each security
SL3
Security Level requirement in the overall IACS Security Program
SL2 (as defined in Part 2-1) are evaluated to determine
Capability (SPR-C)
SL1 the overall effectiveness of the IACS Security
Target (SPR-T)
Security Program Rating ML4 Program.
Achieved (SPR-A)
ML3
Maturity Level
ML2
ISASecure® Certification
ML1
The ISA Security Compliance Institute is a non-
profit organization that has developed several
Figure 14 – Security Program Rating Taxonomy product certification programs for Controls
16 WWW.ISA.ORG/ISAGCA
Certified Component
Information about CSET® can be found at
www.us-cert.gov/ics/Downloading-and-Installing-CSET.
Figure 15 – ISASecure®
Product Certifications
WWW.ISA.ORG/ISAGCA 17
Published Standards and Technical Reports
1. ISA-62443-1-1-2007 / IEC TS 62443-1-1:2009 – SECURITY FOR INDUSTRIAL AUTOMATION AND
CONTROL SYSTEMS, PART 1-1: TERMINOLOGY, CONCEPTS AND MODELS
2. ISA-62443-2-1-2009 / IEC 62443-2-1:2010 – SECURITY FOR INDUSTRIAL AUTOMATION AND
CONTROL SYSTEMS, PART 2-1: ESTABLISHING AN INDUSTRIAL AUTOMATION AND CONTROL
SYSTEMS SECURITY PROGRAM
3. ANSI/ISA-TR62443-2-3-2015 / IEC TR 62443-2-3:2015 – SECURITY FOR INDUSTRIAL AUTOMATION
AND CONTROL SYSTEMS, PART 2-3: PATCH MANAGEMENT IN THE IACS ENVIRONMENT
4. ANSI/ISA-62443-2-4-2018 / IEC 62443-2-4:2015+AMD1:2017 CSV – SECURITY FOR INDUSTRIAL
AUTOMATION AND CONTROL SYSTEMS, PART 2-4: SECURITY PROGRAM REQUIREMENTS FOR IACS
SERVICE PROVIDERS
5. IEC TR 62443-3-1:2009 - SECURITY FOR INDUSTRIAL AUTOMATION AND CONTROL SYSTEMS, PART
3-1: SECURITY TECHNOLOGIES FOR INDUSTRIAL AUTOMATION AND CONTROL SYSTEMS
6. ISA-62443-3-2-2020 – SECURITY FOR INDUSTRIAL AUTOMATION AND CONTROL SYSTEMS, PART
3-2: SECURITY RISK ASSESSMENT FOR SYSTEM DESIGN
7. ANSI/ISA-62443-3-3-2013 / IEC 62443-4-2:2013 – SECURITY FOR INDUSTRIAL AUTOMATION AND
CONTROL SYSTEMS, PART 3-3: SYSTEM SECURITY REQUIREMENTS AND SECURITY LEVELS
8. ANSI/ISA-62443-4-1-2018 / IEC 62443-4-1:2018 – SECURITY FOR INDUSTRIAL AUTOMATION AND
CONTROL SYSTEMS, PART 4-1: SECURE PRODUCT DEVELOPMENT LIFECYCLE REQUIREMENTS
9. ANSI/ISA-62443-4-2-2018 / IEC 62443-4-2:2019 – SECURITY FOR INDUSTRIAL AUTOMATION AND
CONTROL SYSTEMS, PART 4-2: TECHNICAL SECURITY REQUIREMENTS FOR IACS COMPONENTS
10. IEC TR 63069:2019 – INDUSTRIAL-PROCESS MEASUREMENT, CONTROL AND AUTOMATION –
FRAMEWORK FOR FUNCTIONAL SAFETY AND SECURITY
11. IEC TR 63074:2019 – SAFETY OF MACHINERY – SECURITY ASPECTS RELATED TO FUNCTIONAL
SAFETY OF SAFETY-RELATED CONTROL SYSTEMS
12. ISO/IEC/IEEE 24748-1 – SYSTEMS AND SOFTWARE ENGINEERING – LIFE CYCLE MANAGEMENT PART
1: GUIDELINES FOR LIFE CYCLE MANAGEMENT
13. ISA-84.00.01-2004 PART 1 / IEC 61511-1:2016 – FUNCTIONAL SAFETY – SAFETY INSTRUMENTED
SYSTEMS FOR THE PROCESS INDUSTRY SECTOR – PART 1 FRAMEWORK, DEFINITIONS, SYSTEM,
HARDWARE AND APPLICATION PROGRAMMING REQUIREMENTS
14. ISA-TR84.00.09-2017, CYBERSECURITY RELATED TO THE FUNCTIONAL SAFETY LIFECYCLE
15. IEC 61508 (ALL PARTS) – FUNCTIONAL SAFETY OF ELECTRICAL/ELECTRONIC/PROGRAMMABLE
ELECTRONIC SAFETY-RELATED SYSTEMS
References
16. QUICK START GUIDE: AN OVERVIEW OF ISA/IEC 62443 STANDARDS, ISA GLOBAL CYBERSECURITY
ALLIANCE, https://gca.isa.org/blog/download-the-new-guide-to-the-isa/iec-62443-cybersecurity-
standards
17. NIST SP 800-82 REVISION 2, GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY
18. THE 62443 SERIES OF STANDARDS: INDUSTRIAL AUTOMATION AND CONTROL SECURITY, ISA99
COMMITTEE
19. FREQUENTLY ASKED QUESTIONS: THE ISA99 COMMITTEE AND 62443 STANDARDS, ISA99
COMMITTEE
20. INSTRUMENTATION AND CONTROL SYSTEMS SECURITY EXPLAINED: THE WHAT AND THE WHY,
ISA99 COMMITTEE
21. THE SECURITY DEVELOPMENT LIFE-CYCLE: SDL A PROCESS FOR DEVELOPING DEMONSTRABLY
MORE SECURE SOFTWARE, HOWARD, MICHAEL AND LIPNER, STEVE, 2006, MICROSOFT PRESS
22. CAPABILITY MATURITY MODEL INTEGRATION, CMMI INSTITUTE, www.cmmiinstitute.com
23. ISA-62443-2-2: DC 3/2020 SECURITY FOR INDUSTRIAL AUTOMATION AND CONTROL SYSTEMS,
PART 2-2: IACS SECURITY PROGRAM RATINGS (DRAFT)
18 WWW.ISA.ORG/ISAGCA