Charting a new era of ISA/IEC cybersecurity standards
The widely used ISA/IEC 62443 series of standards, developed primarily by the ISA99 committee, Industrial Automation and Control Systems Security, with simultaneous review and adoption by the International Electrotechnical Commission (IEC), provides a flexible framework to address and mitigate current and future security vulnerabilities in industrial automation and control systems (IACS). The committee draws on the input and knowledge of IACS security experts from across the globe to develop consensus standards that are applicable to all industry sectors and critical infrastructure.
At a year-end meeting in Mannheim, Germany, the committee took stock of where it is and where it wants to go as a new decade unfolds. There is much the committee can build on as it closed out the final years of the past decade with several notable successes. This included a decision by the United Nations (UN) Economic Commission for Europe to integrate the widely used standards into its Common Regulatory Framework on Cybersecurity, which serves as an official UN policy position statement for Europe. It also included completion of several key standards in the series, including:
- ISA/IEC 62443-4-1, Product Security Development Life-Cycle Requirements, which specifies process requirements for the secure development of products used in an IACS and defines a secure development life cycle for developing and maintaining secure products. The life cycle includes security requirements definition, secure design, secure implementation (including coding guidelines), verification and validation, defect management, patch management, and product end-of-life.
- ISA/IEC 62443-4-2, Technical Security Requirements for IACS Components, which provides the cybersecurity technical requirements for components that make up an IACS, specifically the embedded devices, network components, host components, and software applications.
Looking ahead in 2020, an important standard expected to be completed in the coming months is ISA/IEC 62443-3-2, Security Risk Assessment for System Design, which is based on the understanding that IACS security is a matter of risk management. That is, each IACS presents a different risk to an organization depending upon the threats it is exposed to, the likelihood of those threats arising, the inherent vulnerabilities in the system, and the consequences if the system were to be compromised. Further, each organization that owns and operates an IACS has its own tolerance for risk. For these reasons, ISA/IEC 62443-3-2 will define a set of engineering measures to guide organizations through the process of assessing the risk of a particular IACS and identifying and applying security countermeasures to reduce that risk to tolerable levels.
The new year will also likely see the publication of a revision of ISA/IEC 62443-2-1, with the revised title Security Program Requirements for IACS Asset Owners. This standard specifies asset owner security program requirements for an IACS. An asset owner, in the context of the standard, also includes the operator of an IACS.
The revision of ISA/IEC 62443-2-1 reflects a new stage in ISA99’s growth and progression in which much of the important content has been defined, but there is a continual need to review and update material while identifying and correcting gaps and inconsistencies that may exist in the various standards that make up the series.
This stage will be evident in a new revision of ISA/IEC 62443-1-1, Models and Concepts, for which a first update draft has been prepared for review by the committee. This foundational standard established the context for all of the other standards in the series.
Among other updates underway, ISA99 is also working on converting ISA/IEC TR62443-2-3, Patch Management in the IACS Environment, into a standard by adding normative language. The current technical report addresses the installation of patches, also called software updates, software upgrades, firmware upgrades, service packs, hotfixes, basic input/output system updates, and other digital electronic program updates that resolve bug fixes, operability, reliability, and cybersecurity vulnerabilities. It covers many of the problems and industry concerns associated with IACS patch management for asset owners and IACS product suppliers.
Details are still being worked out, but ISA99 and its partner IEC committee, TC65 WG10, are planning to meet just outside of Houston in Galveston, Texas, in conjunction with the ISA Cybersecurity Standards Implementation Conference, during the week of 11 May, and then tentatively in September near Schiphol Airport in Amsterdam.
For information on viewing or obtaining any of the ISA/IEC 62443 standards, visit www.isa.org/findstandards. For information on ISA99, its meeting plans, or other related matters, contact Eliana Brazda, ISA Standards, firstname.lastname@example.org.