Page updated Jan 18, 2013
The ISA 62443 Standards for Industrial Control System (ICS) Security
Operators of industrial facilities that rely heavily on modern control systems are rightfully concerned about the cybersecurity of their systems. Compromise of these systems can result in downtime, interruption of critical services, release of hazardous materials, contamination of product, and even fires and explosions. Unfortunately, these systems are more vulnerable today than ever due to the rapid adoption on commercial technology. Modern control systems use the same computers, operating systems, network equipment and software that we use in our homes and offices making them vulnerable to the same threats – malware, hacking, denial-of-service, and misuse. Making matters worse is that the threats to these systems are ever increasing. Not only are computer viruses more prevalent, sophisticated and dangerous but there are numerous examples of evil-doers deliberately tampering with control systems to cause harm.
Figuring out how to secure the complex network of a huge variety of industrial control system products in an industrial facility or corporation can be an overwhelming task. Compounding the challenge is the fact that these systems generally must operate continuously with no scheduled outages often for years at a time. This can make improvements and maintenance a real challenge.
Fortunately, there is help available. The ISA 99 committee has been hard at work for many years developing a series of standards now known as ISA-62443. These standards incorporate the knowledge and best practices of the hundreds of contributors to the body of work which includes industrial operators from a variety of industries, government agencies, national laboratories, automation suppliers, system integrators, consultants, etc.
Knowing that control system security is a complex subject and that there are different audiences involved the committee chose to produce a series of standards rather than one single document. An overview of the work products developed by the committee is shown in Figure 1 (see the 'related file' link below).
The work products, which consist of standards and technical reports, are organized into four categories. The General category, as the name implies, is general information about control system security that is of general interest. The next category, Policies & Procedures, includes standards and technical report that are primarily directed towards the owners and operators of industrial facilities. These documents describe the how to establish and operate a control system security program over the lifecycle of the facility. The System category includes information and standards for how to design for security and is largely directed at companies who design and integrate control system. Finally, the component level includes standards that are primarily directed towards companies that design and manufacture control system equipment. These standards establish requirements for designing security into these products.
Hopefully this article has helped make you aware of the ISA 62443 series of standards and helped identify which documents are of most interest to you and your organization. There is still much work to be done to finalize or revise these documents. Please visit: http://isa99.isa.org for more information about the committee and how to get involved.
John Cusimano, CFSE, CISSP is director of exida’s security services division and is the chair of this Security Committee. He is a process automation safety, security and reliability expert with more than twenty years of experience. John is chairman of ISA 99 WG4 TG2 Zones & Conduits committee and co-chair of ISA 99 WG4 TG6 Product Development committee. He is also active in a variety of other ISA S99, ISA S84, and ICSJWG working groups. He is an instructor and a key developer of the ISA IC32 control system security training course. John has a B.S. degree in Electrical & Computer Engineering from Clarkson University and holds CFSE and CISSP certifications. John can be reached at firstname.lastname@example.org.