Professional Documents
Culture Documents
18. REPORTE - Quick Start Guide an Overview of ISA_IEC 62443 Standards - Security of Industrial Automation and Control Systems
18. REPORTE - Quick Start Guide an Overview of ISA_IEC 62443 Standards - Security of Industrial Automation and Control Systems
CYBERSECURITY
ALLIANCE
isa.gcaorg
ISAGCA.ORG 1
Quick Start Guide:
An Overview of ISA/IEC 62443 Standards
Security of Industrial Automation
and Control Systems
Executive Summary organization. Finally, the means, resources,
skills, and motivation of cyberattackers have
This document is intended to provide the reader significantly increased. The combination of
with a detailed overview of the ISA/IEC 62443 these trends has made IACS more vulnerable to
series of standards and technical reports. The cyberattack. Figure 1 shows some of the notable
ISA/IEC 62443 series addresses the security of cyberattacks that have impacted IACS.
industrial automation and control systems (IACS)
throughout their lifecycle. These standards and Initially, the ISA99 committee considered
technical reports were initially developed for the IT standards and practices for use in IACS.
industrial process sector, but have since been However, it was soon found that this was not
applied to building automation, medical devices, sufficient to ensure the safety, integrity, reliability,
and transportation sectors. and security of an IACS. This is because the
consequences of a successful cyberattack on
There are several trends that have made an IACS are fundamentally different. While
cybersecurity an essential property of IACS, along the primary consequences of a successful
with safety, integrity, and reliability. First, over cyberattack on IT systems is financial and
the last two decades, IACS technologies have privacy loss due to information disclosure, the
migrated from vendor-proprietary to commercial consequences for an IACS may additionally
off-the-shelf technologies such as Microsoft include loss of life or health, damage to the
Windows™ and TCP/IP networking. Second, the environment, or loss of product integrity.
value of data residing in the IACS for the business There are several other differences between IT
has significantly increased the interconnectivity and IACS such as performance requirements,
of IACS both internal and external to the availability requirements, change management,
the time between maintenance windows, and
equipment lifetime. [1]
Date Target Method
The International Society of Automation (ISA) and
2000 Australian Sewage Plant Insider
the International Electrotechnical Commission (IEC)
2010 Iran Uranium Enrichment Stuxnet
have joined forces to address the need to improve
2013 ICS Supply Chain attack Havex the cybersecurity of IACS. The ISA99 Committee
2014 German Steel Mill and the IEC Technical Committee 65/ Working
2015 Ukraine Power Grid BlackEnergy, KillDisk Group 10 develop and publish the ISA/IEC 62443
2016 Ukraine Substation CrashOverride series of standards. These documents describe a
2017 Global shipping company NotPetya methodical engineered approach to addressing
the cybersecurity of IACS. They can be purchased
2017 IoT DDos attack BrickerBot
from either organization; the technical content is
2017 Health care, Automotive WannaCry
identical. The benefits of using a standards-based
2017 Saudi Arabia Petrochemical TRITON/TRISIS approach include reducing the likelihood of a
2019 Norwegian Aluminum Company LockerGaga successful cyberattack, the use of a common set
Table 1: Some notable cyberattacks impacting IACS of requirements among stakeholders, security
throughout the lifecycle, and a reduction in overall
Source: www.awa.csis.org/programs/technology-policy-program/significant-cyber-incidents lifecycle cost.
2
Table of Contents
Executive Summary...............................................................2
Table of Contents...................................................................3
Introduction...........................................................................3
Scope and Purpose.......................................................................... 3
Introduction ISA/IEC 62443 Series of Standards Development
This document provides an overview of the ISA/IEC Organizations.................................................................................... 4
62443 series of standards and technical reports Summary of ISA/IEC 62443 Series Standards and
(referred to as the ISA/IEC 62443 series of standards) Technical Reports......................................................................................4
which specifies requirements for the security of IACS.
The goal of the ISA/IEC 62443 series of standards is Fundamental Concepts.........................................................6
to improve the safety, reliability, integrity, and security Security Program.............................................................................. 6
of IACS using a risk-based, methodical, and complete Risk Management............................................................................. 7
process throughout the entire lifecycle. The ISA/IEC Risk Assessment.......................................................................... 7
62443 Series describes a set of common terms and Zones and Conduits................................................................... 7
requirements that can be used by asset owners, Cybersecurity Requirements Specification............................. 7
product suppliers, and service providers to secure Threat Modeling.......................................................................... 8
their control systems and the equipment under Foundational Requirements........................................................... 8
control. Security Levels................................................................................... 8
Maturity Model.................................................................................. 9
Scope and Purpose
Design Principles............................................................................... 9
The scope of the ISA/IEC 62443 series of standards is
Secure by Design........................................................................ 9
the security of IACS. An IACS is defined as:
Reduce Attack Surface............................................................... 9
A collection of personnel, hardware, software, Defense in Depth........................................................................ 9
and policies involved in the operation of Essential Functions..................................................................... 9
the industrial process and that can affect
or influence its safe, secure, and reliable Roadmap for the ISA/IEC 62443 Series...............................10
operation. Principal Roles................................................................................. 10
Component, System, Automation Solution, and IACS.............. 10
Note that an IACS includes more than the technology
Hierarchical View............................................................................ 11
that comprises a control system; it also includes the
Lifecycle View................................................................................... 11
people and work processes
needed to ensure the ISA/IEC 62443 Series for Asset Owners...................................... 12
safety, integrity, reliability, ISA/IEC 62443 Series for Product Suppliers.............................. 12
and security of the ISA/IEC 62443 Series for Service Providers................................ 12
control system. Without Integration Service Providers................................................. 12
people who are Maintenance Service Providers.............................................. 12
sufficiently trained,
Certification and Training...................................................13
risk-appropriate
technologies and ISASecure® Certification................................................................. 13
Security IECEE Certification.......................................................................... 13
countermeasures,
and work ISA Cybersecurity Training............................................................ 13
processes ISA Cybersecurity Certificates....................................................... 14
throughout
Figure 1: Published Standards and Technical Reports.....................14
the security The Security Triad
lifecycle, an References............................................................................14
WWW.ISA.ORG/ISAGCA 3
IACS could be more vulnerable to cyberattack. • International Society of Automation – ISA99
Because IACS are physical-cyber systems, the Committee
impact of a cyberattack could be severe. The • International Electrotechnical Commission –
consequences of a cyberattack on an IACS IEC TC65/WG10 Committee
include, but are not limited to:
• Endangerment of public or employee safety or There is a formal liaison agreement between
health these two standards development organizations.
• Damage to the environment The ISA/IEC 62443 series of standards and
• Damage to the equipment under control technical reports are developed primarily by
• Loss of product integrity the ISA99 Committee with input, review, and
• Loss of public confidence or company simultaneous adoption by both the ISA and IEC.
reputation The one exception is ISA/IEC 62443-2-4, which
• Violation of legal or regulatory requirements was developed by the IEC TC65/WG10 Committee
• Loss of proprietary or confidential information and adopted by ISA. As a result, whether an
• Financial loss ISA/IEC 62443 document is published by ISA or
• Impact on entity, local, state, or national security IEC, the content is identical except for the non-
normative preface and foreword.
The first four consequences in the above list
are unique to physical-cyber systems and are The United Nations Economic Commission for
not typically present in traditional IT systems. Europe (UNECE) confirmed at its annual meeting
Indeed, it is this difference that fundamentally in late 2018 that it will integrate the widely used
results in the need for different approaches to ISA/IEC 62443 Series into its forthcoming Common
securing physical-cyber systems and caused Regulatory Framework on Cybersecurity (CRF). The
standards development organizations to identify CRF will serve as an official UN policy position
the need for standards that are unique to IACS. statement for Europe, establishing a common
Some other characteristics of IACS that are not legislative basis for cybersecurity practices within
typical in IT systems include: [1] the European Union trade markets. [2]
• More predictable failure modes
• Tighter time-criticality and determinism Refer to the Published Standards and Technical
• Higher availability Reports section at the end of this document for
• More rigorous management of change a complete list of ISA and IEC cybersecurity-
• Longer time periods between maintenance related documents currently available.
• Significantly longer component lifetimes
• Safety, Integrity, Availability, and Summary of ISA/IEC 62443 Series of
Confidentiality (SIAC) instead of CIA Standards and Technical Reports
These documents are arranged in four groups,
Cyber threat actors include but are not limited corresponding to the primary focus and
to insiders (accidental or intentional), hacktivists, intended audience. [4]
cybercriminals, organized crime, and state- 1. General—This group includes documents
sponsored attackers. Types of cyberattacks that address topics that are common to the
include but are not limited to ransomware, entire series.
destructive malware, directed remote access • Part 1-1: Terminology, concepts, and
attacks, and coordinated attacks on control models introduces the concepts and
systems and associated support infrastructure. models used throughout the series.
Table 1 lists several noteworthy directed and The intended audience includes anyone
non-directed cyberattacks impacting IACS. wishing to become familiar with the
fundamental concepts that form the
ISA/IEC 62443 Series of Standards basis for the series.
Development Organizations • Part 1-2: Master glossary of terms
There are two standards development organizations and definitions is a list of terms and
involved in the development of the ISA/IEC abbreviations used throughout the
62443 series of standards and technical reports: series.
4
• Part 1-3: System security conformance • Part 2-3: Patch management in the
metrics describes a methodology to IACS environment provides guidance
develop quantitative metrics derived from on patch management for IACS. The
the process and technical requirements intended audience includes anyone who
in the standards. has responsibility for the design and
• Part 1-4: IACS security lifecycle and implementation of a patch management
use cases provides a more detailed program.
description of the underlying lifecycle for • Part 2-4: Security program requirements
IACS security, as well as several use cases for IACS service providers specifies
that illustrate various applications. requirements for IACS service
providers such as system integrators or
2. Policies and Procedures—Documents in this maintenance providers. This standard
group focus on the policies and procedures was developed by IEC TC65/WG10.
associated with IACS security. • Part 2-5: Implementation guidance for
• Part 2-1: Establishing an IACS security IACS asset owners provides guidance on
program describes what is required to what is required to operate an effective
define and implement an effective IACS IACS cybersecurity program. The intended
cybersecurity management system. audience includes asset owners who have
The intended audience includes asset responsibility for the operation of such a
owners who have responsibility for the program.
design and implementation of such a
program. 3. System Requirements—The documents in
• Part 2-2: IACS security program ratings the third group address requirements at the
provides a methodology for evaluating system level.
the level of protection provided by an • Part 3-1: Security technologies
operational IACS against the requirements for IACS describes the application of
in the ISA/IEC 62443 series of standards. various security technologies to an IACS
ISAGCA.ORG 5
environment. The intended audience principal audience include suppliers of
includes anyone who wishes to learn control system and component products.
more about the applicability of specific • Part 4-2: Technical security
technologies in a control systems requirement for IACS components
environment. describes the requirements for IACS
• Part 3-2: Security risk assessment for Components based on security level.
system design addresses cybersecurity Components include embedded devices,
risk assessment and system design for host devices, network devices, and
IACS. The output of this standard is a software applications. The principal
zone and conduit model and associated audience include suppliers of component
risk assessments and target security products that are used in control systems.
levels. These are documented in the
cybersecurity requirements specification. Table 2 shows the complete list of ISA/IEC 62443
This standard is primarily directed at asset standards and technical reports. The part can be
owners and system integrators. derived from the document number, for example
• Part 3-3: System security requirements ISA/IEC 62443-2-1 is referred to as Part 2-1 in this
and security levels describes the document.
requirements for an IACS system based
on security level. The principal audience The document types are:
include suppliers of control systems, • IS – International Standard
system integrators, and asset owners. • TR – Technical Report
• TS – Technical Specification
4. Component Requirements—The fourth and
final group includes documents that provide Finally, the publication date is shown for each
information about the more specific and document as of the publication date of this
detailed requirements associated with the document. ISA/IEC standards are on a five-
development of IACS products. year update cycle, so many of the published
• Part 4-1: Product security development documents are currently in revision.
life cycle requirements describes the
requirements for a product developer’s
Fundamental Concepts
security development lifecycle. The
Security Program
Part Type Title Date
Part 2-1 specifies asset owner security program
1-1 TS Terminology, concepts, and models 2007 requirements for the IACS. A security program
1-2 TR Master glossary of terms and abbreviations consists of the implementation and maintenance
Overview
1-3 System cybersecurity conformance metrics of personnel, policy & procedural, and
1-4 IACS security lifecycle and use cases technology-based capabilities that reduce the
2-1 IS Establishing an IACS security program 2009 cybersecurity risk of an IACS.
2-2 IACS security program ratings
2-3 TR Patch management in the IACS environment 2015 In the context of Part 2-1, the asset owner is
Policies & Procedures
4-1 IS Product security development life-cycle requirements 2018 be needed to secure the IACS.
4-2 IS Technical security requirements for IACS components 2019
Although the asset owner is ultimately
Component
Table 2: ISA/IEC 62443 Series Status accountable for the secure operation of the
IACS, implementation of security capabilities
requires the support of product suppliers and
6
service providers. The asset owner must include Partitioning the system under consideration into
requirements for security throughout the supply zones and conduits can also reduce overall risk
chain to meet the overall security program by limiting the scope of a successful cyber-attack.
requirements. Part 3-2 requires or recommends that some
assets are partitioned as follows should:
The security program for the IACS must be • Separate business and control system assets
coordinated with the overall information security • Separate safety related assets
management system (ISMS) of the organization. • Separate temporarily connected devices
The ISMS sets the overall security governance • Separate wireless devices
and policies for the organization. However, • Separate devices connected via external
as mentioned above, the IACS is significantly networks
different from IT systems, so there are additional
requirements and considerations for its security Cybersecurity Requirements Specification
program. Part 3-2 also requires that required security
countermeasures from the risk assessment as
Risk Management
Risk Assessment
Part 3-2 describes the requirements Start
for addressing the cybersecurity risks
in an IACS, including the use of zones Initial system architecture Updated system architecture
diagrams and inventory,
and conduits, and security Levels. While company policies,
ZCR 1 – Identify the diagrams and inventory with
system under IACS external services and
Part 3-2 includes the requirements for regulations, tolerable risk
guidelines, etc.
consideration support identified
(SUC)
the risk assessment process, it does
not specify the exact methodology to
be used. The methodology used must Existing PHAs and other
ZCR 2 – Perform an
be established by the asset owner and relevant risk assessment
and corporate risk matrix initial cybersecurity risk
Initial evaluation of risk
8
automation solution is commissioned and surface includes design principles such as:
in operation. Part 2-2 combines SL-A with • Access control—restricting physical and logical
operational and maintenance policies and access to IACS systems and networks
procedures to form the security program • Network segmentation—segmenting IACS
rating for a particular automation solution. networks and controlling the traffic between them
• Least function—hardening IACS systems and
Maturity Model networks by removing unneeded functions
While security levels are a measure of the strength • Least privilege—limiting privileges to the
of technical requirements, maturity levels are minimum necessary for the role or function
a measure of processes (people, policies, and
procedures). Parts 2-1, 2-2, 2-4, and 4-1 use Defense in Depth
maturity levels to measure how thoroughly Defense in depth is defined as the provision of
requirements are met. multiple security protections, especially in layers,
with the intent to delay or prevent an attack. Defense
As shown in Table 4, the maturity model is based in depth implies layers of security and detection,
on the capability maturity model integration even on single systems, and requires attackers to
(CMMI), with levels 4 & 5 combined into level 4. break through or bypass multiple layers without
being detected. The IACS is still protected even if a
Design Principles vulnerability in one layer is compromised. Special
Secure by Design attention must be paid to a single vulnerability that
Secure by design is a design principle where allows the potential compromise of multiple layers.
security measures are implemented early in
the lifecyle of the IACS. The intent is that robust Essential Functions
security policies, security architectures, and secure Essential functions are defined as functions or
practices are established early in development and capabilities that are required to maintain health,
implemented throughout the lifecycle. This design safety, the environment, and availability of the
principle applies to both product development and equipment under control. Essential functions include:
automation solution development. When using a • the safety instrumented function (SIF)
secure by design philosophy, security measures • the control function
operate natively within the control System or • the ability of the operator to view and
component without requiring the addition of manipulate the equipment under control
compensating countermeasures.
The loss of essential functions is commonly termed:
Reduce Attack Surface loss of protection, loss of control, and loss of view
Reducing the attack surface is a design principle respectively. In some use cases additional functions
where the physical and functional interfaces of such as history may be considered essential.
an IACS that can be accessed and exposed to Part 3-3 requires that security measures shall not
potential attack are minimized, making it more adversely affect essential functions of a high-
difficult for an attack to succeed. Reducing attack availability IACS unless it is supported by a risk
10
• The Industrial Automation and Part 2-3
Control System (IACS) includes the Patch management in
the IACS environment
automation solution and the operational
Legend
and maintenance policies and procedures Derived Requirements
Direct References
necessary to support it All Parts shall reference Part 1-1 Part 2-4
Security program
requirements for IACS
service providers
Hierarchical View
Figure 5 shows the hierarchical relationships
Part 1-1 Part 2-1 Part 3-2 Part 2-2
among the ISA/IEC 62443 Series of standards. Terminology, Establishing an IACS Security risk IACS security
concepts, security program assessment for program ratings
A hierarchical relationship means that one and models system design
• Part 1-1 introduces the concepts and security levels IACS components
ISAGCA.ORG 11
Lifecycle View ISA/IEC 62443 Series for Product Suppliers
Another view of the ISA/IEC 62443 series is Product supplier activities:
the lifecycle view. There are two independent Establish and sustain a security development
lifecycles described in the series: the product lifecycle
development lifecycle and the automation • Provide control system products that meet
solution lifecycle. The automation solution security level capabilities
lifecycle is further divided into an integration provide component products that meet
phase and an operation and maintenance security level capabilities
phase. Table 6 shows the relationship between • Provide ongoing lifecycle support for their
the parts of the ISA/IEC 62443 series and the control system and component products
various lifecycles and phases.
Applicable ISA/IEC 62443 standards:
Note that part 3-3 spans the product • ISA/IEC 62443-4-1, Product security
development lifecycle and the integration development lifecycle requirements
phase of the automation solution lifecycle. • ISA/IEC 62443-3-3, System security
This is because while the product supplier requirements and security levels
is the main audience for part 3-3, the • ISA/IEC 62443-4-2, Technical security
integration service provider may also combine requirements for IACS components
components to create control systems. An • ISA/IEC 62443-3-2, Security risk assessment
example would be a SCADA system, where for system design
the integration service provider integrates the
SCADA system with embedded devices (e.g., ISA/IEC 62443 Series for Service Providers
PLC) to create an automation solution. Integration Service Providers
Integration service provider activities:
ISA/IEC 62443 Series for Asset Owners • Establish and sustain a security program
Asset owner activities: for automation solution integration
• Establish and sustain a security program • Design and implement automation
that includes IACS-specific requirements solutions that meet the requirements in the
• Partition zones and conduits and perform cybersecurity requirements specification
associated risk assessments • Apply security patches during the Integration
• Document IACS requirements in the phase of the automation solution lifecycle
cybersecurity requirements specification
• Procure products and services that meet Applicable ISA/IEC 62443 standards:
IACS requirements • ISA/IEC 62443-2-1, Establishing an IACS
• Operate and maintain the IACS security program
• Assess the effectiveness of the IACS • ISA/IEC 62443-2-3, Patch management in
security program the IACS environment
• ISA/IEC 62443-2-4, Requirements for IACS
Applicable ISA/IEC 62443 standards: service providers
• ISA/IEC 62443-2-1, Establishing an IACS • ISA/IEC 62443-3-2, Security risk assessment
security program for system design
• ISA/IEC 62443-2-2, Security program ratings • ISA/IEC 62443-3-3, System security
• ISA/IEC 62443-2-3, Patch management in requirements and security levels
the IACS environment
• ISA/IEC 62443-2-4, Requirements for IACS Maintenance Service Providers
service providers Maintenance service provider activities:
• ISA/IEC 62443-3-2, Security risk assessment • Establish and sustain a Security Program
for system design for maintenance services
• ISA/IEC 62443-3-3, System security • Provide services and capabilities that meet
requirements and security levels the IACS security policies and procedures
specified by the asset owner
12
Applicable ISA/IEC 62443 standards: • IACS Cybersecurity Design and
• ISA/IEC 62443-2-3, Patch management in the Implementation (IC34, IC34M)
IACS environment • IACS Cybersecurity Operation and
• ISA/IEC 62443-2-2, IACS Security program ratings Maintenance (IC37, IC37M)
• ISA/IEC 62443-2-4, Requirements for IACS • Overview of ISA/IEC 62443 for Product
service providers Suppliers (IC46C, IC46M)
ISAGCA.ORG 13
Published Standards and References
Technical Reports 1. NIST SP 800-82 Revision 2, Guide To
1. ISA-62443-1-1-2007 / IEC TS 62443-1-1:2009 Industrial Control Systems (Ics) Security
– Security For Industrial Automation and 2. United Nations Commission fo Integrate ISA/
Control Systems, Part 1-1: Terminology, IEC 62443 Into Cybersecurity Regulatory
Concepts And Models Framework, ISA InTech Magazine, Jan-Feb,
2. ISA-62443-2-1-2009 / IEC 62443-2-1:2010 2019
– Security For Industrial Automation and 3. The 62443 Series of Standards: Industrial
Control Systems, Part 2-1: Establishing an Automation and Control Security, ISA99
Industrial Automation and Control Systems Committee
Security Program 4. Frequently Asked Questions: The ISA99
3. ANSI/ISA-Tr62443-2-3-2015 / IEC TR 62443- Committee And 62443 Standards, ISA99
2-3:2015 – Security for Industrial Automation Committee
and Control Systems, Part 2-3: Patch 5. Instrumentation And Control Systems
Management in the Iacs Environment Security Explained: the What and the Why,
4. ANSI/ISA-62443-2-4-2018 / IEC 62443- ISA99 Committee
2-4:2015+Amd1:2017 CSV – Security for
Industrial Automation and Control Systems,
Part 2-4: Security Program Requirements for
IACS Service Providers
5. IEC TR 62443-3-1:2009 - Security for
Industrial Automation and Control Systems,
Part 3-1: Security Technologies for Industrial
Automation and Control Systems
6. ISA-62443-3-2-2020 – Security for Industrial
Automation and Control Systems, Part 3-2:
Security Risk Assessment for System Design
7. ANSI/ISA-62443-3-3-2013 / IEC 62443-4-
2:2013 – Security for Industrial Automation
and Control Systems, Part 3-3: System
Security Requirements and Security Levels
ANSI/ISA-62443-4-1-2018 / IEC 62443-
4-1:2018 – Security for Industrial
Automation and Control Systems, Part 4-1:
Product Security Development Life-Cycle
Requirements
8. ANSI/ISA-62443-4-2-2018 / IEC 62443-4-
2:2019 – Security for Industrial Automation
and Control Systems, Part 4-2: Technical
Security Requirements for IACS Components
9. IEC TR 63069:2019 – Industrial-Process
Measurement, Control and Automation – This document contains some information
Framework for Functional Safety and Security that is based on ISA99 Committee draft
10. IEC TR 63074:2019 – Safety Of Machinery – documents. Please refer to the published
Security Aspects Related to Functional Safety documents for the definitive set of
of Safety-Related Control Systems requirements currently available.
14
ISAGCA.ORG 15
GLOBAL
CYBERSECURITY
ALLIANCE
©2023 International Society of Automation
16