The World’s Only Consensus-Based Automation and Control Systems Cybersecurity Standards
The ISA/IEC 62443 series of standards define requirements and processes for implementing and maintaining electronically secure industrial automation and control systems (IACS). These standards set best practices for security and provide a way to assess the level of security performance. Their approach to the cybersecurity challenge is a holistic one, bridging the gap between operations and information technology as well as between process safety and cybersecurity.
The ISA/IEC standards set cybersecurity benchmarks in all industry sectors that use IACS, including building automation, electric power generation and distribution, medical devices, transportation, and process industries such as chemicals and oil and gas.
The International Society of Automation (ISA) established the ISA99 standards committee in 2002, recognizing the need to secure equipment and operations that make up U.S. critical infrastructure against cyberattacks. Since then, ISA99 has published a comprehensive family of standards and technical reports purpose-built to address securing automation and control systems.
The ISA/IEC 62443 standards are submitted to the International Electrotechnical Commission (IEC) for global adoption as international standards ISA/IEC 62443. The ISA/IEC 62443 series of standards are endorsed by the United Nations. With use cases from more than 20 different industries, the ISA/IEC 62443 series of standards have demonstrated their utility in all industry verticals that use operational technology. In 2021, IEC recognized the series as a horizontal standard, meaning that the standards have been proven to apply to a broad range of different industries.
Getting Started with the ISA/IEC 62443 Standards
A founding principle of the ISA/IEC 62443 standards is the concept of shared responsibility as an essential building block of automation cybersecurity. Key stakeholder groups must align to ensure the safety, integrity, reliability, and security of control systems.
The standards define requirements for key stakeholder groups who are involved in control system cybersecurity. Stakeholder groups include asset owners (end users), automation product suppliers, integrators who build and maintain control system solutions and their components, and service suppliers who support the operation of control systems.
People, processes, and technology all play critical roles in securing automation and control systems. The ISA/IEC 62443 series addresses the security of industrial automation and control systems (IACS) throughout their lifecycle (which applies to all automation and control systems, not only industrial).
The ISA/IEC 62443 standards provide guidance that includes:
- Defining common terms, concepts, and models that can be used by all stakeholders responsible for control systems cybersecurity
- Helping asset owners determine the level of security required to meet their unique business and risk needs
- Establishing a common set of requirements and a cybersecurity lifecycle methodology for product developers, including a mechanism to certify products and vendor development processes
- Defining the risk assessment processes that are critical to protecting control systems
For a complete overview of the series and its documents, download the ISA/IEC 62443 Quick Start Guide.
ISA99: The Mission Continues
The ISA99 committee, Industrial Automation and Control Systems Security, and IEC Technical Committee 65 Working Group 10 (TC 65 WG 10) have cooperated in the development of the ISA/IEC 62443 series of standards and technical reports that define the requirements for cybersecurity robustness and resilience at each stage of the IACS lifecycle.
The final published documents are available from both IEC and ISA. The ISA editions of the standards and reports in the series have a naming convention written as “ISA-62443-x-y,” while the IEC Editions appear as “IEC 62443-x-y.” The ISA and IEC editions of each document are identical, however, and both are released as concurrently as possible.
The ISA99 standards committee has been recognized by the United Nations, UNECE, and NATO. For details on the committee’s current work, visit the ISA99 section of the ISA website.
The ISA Global Cybersecurity Alliance: Advancing the Adoption of 62443
ISA founded the ISA Global Cybersecurity Alliance (ISAGCA) in 2019 to advocate for the importance of automation cybersecurity and to advance the worldwide adoption of the ISA/IEC 62443 series of standards. Today, ISAGCA consists of more than 50 member companies representing more than $1.5 trillion in aggregate revenue across more than 2,400 combined locations around the globe. Automation and cybersecurity provider members serve 31 different industries, underscoring the broad applicability of the ISA/IEC 62443 series of standards.
ISAGCA offers a comprehensive set of resources on the 62443 standards for free to the general public, many of which are linked in the sidebar on this page.
ISASecure®—Certifying Industrial Control System Components and Systems
The ISA Security Compliance Institute (ISCI), a wholly-owned ISA certification consortium, offers three schemes for off-the-shelf industrial automation and control technology including the Component Security Assurance (CSA) Certification, IOT Component Security Assurance (ICSA), and System Security Assurance (SSA) Certification. ISCI also offers the Security Development Lifecycle Assurance (SDLA) Certification program which applies to development processes used by suppliers of control system products. These certifications assure conformance to the ISA/IEC 62443 family of cybersecurity standards. Based on security requirements published in the ISA/IEC 62443 series of standards, the certification schemes demonstrate suppliers’ commitment to protecting products and systems from a variety of cybersecurity threats.
The following are the published ISA-62443 standards and technical reports.
- ISA-TR99.00.01-2007, Security technologies for industrial automation and control systems
- ISA-62443-1-1-2007, Security for industrial automation and control systems, Part 1-1: Terminology, concepts, and models
- ISA-62443-2-1-2009, Security for industrial automation and control systems, Part 2-1: Establishing an industrial automation and control systems security program
- ISA-TR62443-2-3-2015, Security for industrial automation and control systems, Part 2-3: Patch management in the IACS environment
- ANSI/ISA-62443-2-4-2018 / IEC 62443-2-4:2015+AMD1:2017 CSV, Security for industrial automation and control systems, Part 2-4: Security program requirements for IACS service providers (IEC 62443-2-4:2015+AMD1:2017 CSV, IDT)
- ANSI/ISA-62443-3-2-2020, Security for industrial automation and control systems, Part 3-2: Security risk assessment for system design
- ANSI/ISA-62443-3-3-2013, Security for industrial automation and control systems, Part 3-3: System security requirements and security levels
- ANSI/ISA-62443-4-1-2018, Security for industrial automation and control systems, Part 4-1: Secure product development lifecycle requirements
(Editorial corrigendum issued in December 2020 changed title from ANSI/ISA-62443-4-1-2018, Security for industrial automation and control systems, Part 4-1: Product security development life-cycle requirements, to parallel IEC 62443-4-1 title; there were no other changes.)
- ANSI/ISA-62443-4-2-2018, Security for industrial automation and control systems, Part 4-2: Technical security requirements for IACS components
(Reprinted with an editorial corrigendum in August 2019 to correct typographical error)