United Nations commission to integrate ISA/IEC 62443 into Cybersecurity Regulatory FrameworkUN Flag img

The United Nations Economic Commission for Europe (UNECE) confirmed at its annual meeting in late 2018 that it will integrate the widely used ISA/IEC 62443 series of standards into its forthcoming Common Regulatory Framework on Cybersecurity (CRF). The CRF will serve as an official UN policy position statement for Europe, establishing a common legislative basis for cybersecurity practices within the European Union trade markets.

At the same time, the UNECE's Working Party on Regulatory Cooperation and Standardization Policies recognized the ISA99 standards development committee for its leading role in conceiving and developing the widely used standards.

The ISA/IEC 62443 standards are developed primarily by the ISA99 committee, with simultaneous review and adoption by the Geneva-based International Electrotechnical Commission (IEC). ISA99 draws on the input of cybersecurity experts across the globe in developing consensus standards that are applicable to all industry sectors and critical infrastructure, providing a flexible and comprehensive framework to address and mitigate current and future security vulnerabilities in industrial automation and control systems (IACS).

UN recognition of ISA99 capped a year in which two major standards in the ISA/IEC 62443 series were completed:

  • ISA/IEC 62443-4-2, Security for Industrial Automation and Control Systems: Technical Security Requirements for IACS Components, provides the cybersecurity technical requirements for components that make up an IACS, specifically the embedded devices, network components, host components, and software applications. The standard, which is based on the IACS security requirements of ISA/IEC 62443‑3-3, System Security Requirements and Security Levels, specifies security capabilities that enable a component to mitigate threats for a given security level without the assistance of compensating countermeasures.
  • ISA/IEC 62443-4-1, Security for Industrial Automation and Control Systems: Product Security Development Life-Cycle Requirements, specifies process requirements for the secure development of products used in an IACS and defines a secure development life cycle for developing and maintaining secure products. The life cycle includes security requirements definition, secure design, secure implementation (including coding guidelines), verification and validation, defect management, patch management, and product end-of-life.

In addition, another standard in the series is nearing completion. ISA/IEC 62443-3-2, Security Risk Assessment, System Partitioning and Security Levels, is based on the understanding that IACS security is a matter of risk management. That is, each IACS presents a different risk to an organization depending upon the threats it is exposed to, the likelihood of those threats arising, the inherent vulnerabilities in the system, and the consequences if the system were to be compromised. Further, each organization that owns and operates an IACS has its own tolerance for risk.

ISA/IEC 62443-3-2 will define a set of engineering measures to guide organizations through the process of assessing the risk of a particular IACS and identifying and applying security countermeasures to reduce that risk to tolerable levels. A key concept is the application of IACS security zones and conduits, which were introduced in ISA/IEC 62443-1-1: Concepts and Models. The new standard provides a basis for specifying security countermeasures by aligning the identified target security level with the required security level capabilities set forth in ISA/IEC 62443‑3‑3: System Security Requirements and Security Levels.

For information about participating in ISA Standards or on the IEC Systems Committee on Smart Manufacturing, contact Charley Robinson, ISA Standards,crobinson@isa.org.

Have an idea for an ISA standard, book, training course, conference topic, or other product or service? Send it to idea@isa.org.