Standards update: IACS cybersecurity
By Charley Robinson
The ISA/IEC 62443 series of standards provides a flexible framework to address and mitigate current and future vulnerabilities in industrial automation and control systems (IACS). The standards are being developed primarily by the ISA99 committee, which includes IACS security experts from key industry sectors and critical infrastructure across the globe. The documents are adopted globally by the International Electrotechnical Commission (IEC).
This update looks at recent developments in four key IACS security areas.
ISA-TR62443-2-3, Patch Management in the IACS Environment, has been approved in ballots of ISA99 and the corresponding IEC technical committee, TC65. Comments submitted during the ballots are currently under review within ISA99, with publication expected later this year.
The technical report addresses the installation of patches, also called software updates, software upgrades, firmware upgrades, service packs, hotfixes, basic input/output system updates, and other digital electronic program updates that resolve bug fixes, operability, reliability, and cybersecurity vulnerabilities. It covers many of the problems and industry concerns associated with IACS patch management for asset owners and IACS product suppliers. It also describes the effects poor patch management can have on the reliability and operability of an IACS.
The document provides a defined format for the exchange of information about security patches from asset owners to IACS product suppliers, and definitions of activities associated with the development of the patch information by IACS product suppliers and deployment of the patches by asset owners. The exchange format and activities are defined for use in security-related patches, but may also be applicable for other types of patches or updates.
ISA-dTR62443-1-3, System Security Conformance Metrics, was issued in mid-May for ISA99 committee balloting. The draft technical report is also undergoing IEC balloting.
The document defines the high-priority system cybersecurity conformance metrics for an IACS. High-priority metrics focus attention on security technical control functions that enable the requirements specified in ISA/IEC 62443-3-3-2013, System Security Requirements and Security Levels—a standard that addresses risks from the growing use of business information technology cybersecurity methods to address IACS cybersecurity in complex manufacturing and processing applications.
The conformance metrics in the technical report are defined to:
measure conformance with IACS requirements specified in other parts of the ISA/IEC 62443 series;
manage the development of secure IACS products and services;
- monitor and manage user-specified quality of service throughout the deployed life of a system;
verify secure disposal of system, subsystem, and components when they are removed from service; and
- provide system measurements to be used by compliance authorities.
Security programs for IACS providers
IEC 62443-2-4, Requirements for Security Programs for IACS Integration and Maintenance Service Providers, is the only standard in the ISA/IEC series that has been developed primarily by the IEC, working in conjunction with the document originators, the Process Automation Users Association (WIB) based in the Netherlands—and with input from ISA99. This standard is expected to be published by the IEC in early 2015.
The standard specifies requirements for security capabilities of IACS integration and maintenance service providers that they are to be able to provide to asset owners during integration and maintenance activities of a solution (defined as a control system and any complementary hardware and software components that have been installed and configured to operate in an IACS). Collectively, the security capabilities offered by an IACS integration or maintenance service provider are called its security program. ISA/IEC 62443-2-1-2009, Establishing an Industrial Automation and Control Systems Security Program, describes requirements for the security program of an asset owner.
Security in safety
The ISA84 standards committee on functional safety has launched a review and revision of ISA-TR84.00.09, Security Countermeasures Related to Safety Instrumented Systems (SIS), which was published last year. Drawing on the work of ISA99, the technical report addresses countermeasures that can be used to reduce the likelihood of a security breach that degrades the ability of the SIS to perform its functions. It describes performance criteria to guard against internal and external security threats to the SIS and provides guidance on how to comply with IEC 61511 and ANSI/ISA-84.00.01, Functional Safety: Safety Instrumented Systems for the Process Industry Sector, with respect to cybersecurity.