New ISA standard provides auditable approach to assessing cybersecurity risk

  • Standards

The widely used ISA/IEC 62443 Industrial Automation and Control Systems (IACS) Security standards, developed primarily by the ISA99 standards development committee with simultaneous review and adoption by the International Electrotechnical Commission (IEC), provide a flexible framework to address and mitigate current and future IACS security vulnerabilities. The ISA99 committee draws on the input and knowledge of IACS security experts from across the globe to develop consensus standards that are applicable to all industry sectors and critical infrastructure.

A new standard in the series is based on the understanding that each organization that owns and operates an IACS has its own tolerance for risk—and that each IACS represents a unique risk depending on the threats it is exposed to, the likelihood of those threats arising, the inherent vulnerabilities in the system, and the consequences if the system were to be compromised. The new standard, ISA/IEC 62443-3-2: Security Risk Assessment for System Design, defines a comprehensive set of engineering measures to guide organizations through the essential process of assessing the risk of a particular IACS and identifying and applying security countermeasures to reduce that risk to tolerable levels.

The new standard can be effectively applied across all industry and critical infrastructure sectors that depend on secure IACS operations. Moreover, it provides much-needed guidance to all key stakeholder categories, including asset owners, system integrators, product suppliers, service providers, and compliance authorities.

“Currently, there is wide degree of variability in how industry defines and conducts IACS risk assessments,” says John Cusimano of aeSolutions, who led the ISA99 subgroup that wrote the standard. “ISA/IEC 62443-3-2 establishes fundamental requirements for an IACS risk assessment without being overly prescriptive. The result is a standard that will bring uniformity across industry while still allowing IACS owners and operators to apply any methodology that is compliant with the standard.”

The new standard is the latest in a series of notable milestones in the ongoing development and growing global application of the ISA/IEC 62443 series. This included a decision by the United Nations Economic Commission for Europe to integrate the widely used standards into its Common Regulatory Framework on Cybersecurity, which serves as an official UN policy position statement for Europe. It also included completion of several key additional standards, including:

  • ISA/IEC 62443-4-1, Product Security Development Life-Cycle Requirements, which specifies process requirements for the secure development of products used in an IACS and defines a secure development life cycle for developing and maintaining secure products.
  • ISA/IEC 62443-4-2, Technical Security Requirements for IACS Components, which provides the cybersecurity technical requirements for components that make up an IACS, specifically the embedded devices, network components, host components, and software applications.

Other standards in the ISA/IEC 62443 series cover terminology, concepts, and models; establishing an IACS security program; patch management; and system security requirements and security levels. All may be accessed at

For more information on ISA99 and the ISA/IEC 62443 series of standards, contact Eliana Brazda, ISA Standards,


ISA Standards & Practices board update

As the governing body of ISA Standards, the S&P Board, like all ISA committees, has been operating in a strictly virtual mode this year and will likely continue to do so until a possible face-to-face meeting at the ISA Annual Leaders Conference, planned for October 2021 in Puerto Rico.

Among its activities, the S&P Board has four ongoing teams working on key goals related to ISA’s overall strategic plan as follows:
  • SP1: Committee Effectiveness (leader: Nicholas Sands) – Developing job descriptions for new leadership positions in ISA standards committees, including membership, marketing, social media, and editing, to establish and clarify these roles for committees to fill as desired, and to create bigger pools of committee leaders for succession.
  • SP2: Board Effectiveness (leader: Eric Cosman) – Developing a job description for S&P Board members who serve as managing directors of ISA committees.
  • SP3: Portfolio Management (leader: Dennis Zetterberg) – Focusing on how to best assess the viability of older existing ISA standards, recommended practices, and technical reports.
  • SP4: Stakeholder Engagement (leader: Chris Monchinski) – Assessing how ISA sections and divisions are starting to use the new ISA Connect tool to engage their respective members, for possible applicability to ISA standards committees.

Chris Monchinski of Automated Control Concepts is completing a two-year term as vice president of ISA’s Standards & Practices Department. Dennis Zetterberg of Chevron will begin a two-year term as vice president on 1 January 2021. David Lee of Emerson will serve as vice president-elect.


Have an idea for an ISA standard, book, training course, conference topic, or other product or service? Send it to:


Reader Feedback

We want to hear from you! Please send us your comments and questions about this topic to

Like This Article?

Subscribe Now!

About The Author