The NATO Energy Security Centre for Excellence and the ISA99 standards committee, Industrial Automation and Control Systems Security, have signed a letter of intent for cooperation in the exchange of information and possible collaboration on learning resources and activities.
The NATO Centre became interested in applying the ISA/IEC 62443 standards during the course of a cyberrisk study of the industrial control systems used in the NATO Central Europe pipeline system, pointed out Vytautas Butrimas, who led the agreement for NATO and now represents the NATO Center on ISA99. “With this agreement,” he stated, “we look forward to exploring new ways of collaboration with ISA to improve the safety, reliability, and performance of the backbone technologies that support economic activity, national security, and well-being of our societies.”
The ISA/IEC 62443 standards are developed primarily by the ISA99 committee with simultaneous review and adoption by the Geneva-based International Electrotechnical Commission (IEC). ISA99 draws on the input of cybersecurity experts across the globe in developing consensus standards that are applicable to all industry sectors and critical infrastructure, providing a flexible and comprehensive framework to address and mitigate current and future security vulnerabilities in industrial automation and control systems.
The agreement with NATO is the latest in a string of notable milestones in the ongoing development and growing global application of the ISA/IEC 62443 series. This included a prior decision by the United Nations Economic Commission for Europe to integrate the standards into its Common Regulatory Framework on Cybersecurity, which serves as an official UN policy position statement for Europe. It also included completion of several key standards in the series:
- ISA/IEC 62443-3-2, Security Risk Assessment for System Design, defines a comprehensive set of engineering measures to guide organizations through the essential process of assessing the risk of a particular industrial automation and control system (IACS) and identifying and applying security countermeasures to reduce that risk to tolerable levels.
- ISA/IEC 62443-4-1, Product Security Development Life-Cycle Requirements, which specifies process requirements for the secure development of products used in an IACS and defines a secure development life cycle for developing and maintaining secure products.
- ISA/IEC 62443-4-2, Technical Security Requirements for IACS Components, which provides the cybersecurity technical requirements for components that make up an IACS, specifically the embedded devices, network components, host components, and software applications.
Other standards in the ISA/IEC 62443 series cover terminology, concepts, and models; establishing an IACS security program; patch management; and system security requirements and security levels. All may be accessed at www.isa.org/findstandards.The ISA99 committee, like all ISA standards committees, is open to participation to all who are interested. For more information on ISA99 and the ISA/IEC 62443 series of standards, contact Eliana Brazda, ISA Standards, firstname.lastname@example.org.
We want to hear from you! Please send us your comments and questions about this topic to InTechmagazine@isa.org.