IT in Manufacturing

ISA99 committee advances ­cybersecurity standards

October 2015 IT in Manufacturing

The ISA99 committee on industrial auto­mation and control systems (IACS) cyber­security has primary responsibility for ­developing the ISA/IEC 62443 series of standards on this subject.

The committee recently held a series of working meetings in Frankfurt, Germany to assess the current status of the standards and confirm plans for future work. This included discussions related to several of the fundamental concepts that form the basis for the ISA 62443 series of standards.

This committee, formed in 2002 to develop standards and practices related to defining and applying industrial automation and control systems (IACS) cybersecurity, subsequently entered into a liaison relationship with the Technical Committee 65 of the International Electrotechnical Commission (IEC) with the understanding that any standards developed would be issued by both ISA and IEC.

The 62443 series

This collaboration led to the identification of a series of standards and technical reports, each addressing a specific aspect of the subject. Once approved, each document is published as both an ANSI/ISA and IEC standard or specification.

Several of these documents have been published and are available from ISA and IEC and several more exist in draft form. A summary of the current status of the various work products can be found on the committee website (

The series components are organised into four tiers, each addressing a specific group of users and stakeholders. The top or first tier includes standards and technical reports that are intended for the general audience. The second tier includes documents that address the policies and procedures associated with an ICS security management system. The standards and reports in the second and third tiers address specific requirements for ICS systems and components.

Recent developments

Several documents in the 62443 series have been formally published or are about to be released to the committee for comment or vote. Recent publications include:

• 62443-2-3: Patch Management in the IACS Environment.

• 62443-2-4: Requirements for IACS Solutions Providers.

Documents that have recently been circulated for review and comment include:

• 62443-4-1: Product Development Requirements.

• 62443-4-2: Technical Security Requirements for IACS Components.

Finally, the following draft documents will soon be issued to the committee for review and approval:

• 62443-1-3: System Security Metrics.

• 62443-3-2: Security Risk Assessment and System Design.

Fundamental concepts

Several fundamental concepts form the basis for the 62443 series. The second edition of the 62443-1-1 standard will introduce each concept, which will be further detailed and applied in the remaining standards in the series.

Over the course of the Frankfurt meetings, those present reviewed several of these concepts and reaffirmed their importance as key elements of the series. Any inconsistencies across the standards were noted and will be addressed in subsequent editions.

The design, development, implementation, and operation of industrial control systems take place in the context of a set of intersecting life cycles, each addressing a specific set of activities and involving particular contributors.

The product development life cycle is primarily the responsibility of the product or system supplier. Integration and com­missioning are the focus of system integrators. Operation and maintenance are the responsibility of the asset owner.

Collectively, these life cycles provide the context for gathering the requirements and subsequently developing secure products, systems, and solutions.

Applying the zones and conduits concept is an essential first step in risk assessment and system design. The 62443-3-2 standard on this subject will soon be circulated to the committee for review and approval, with review by the broader IEC community to follow soon after.

New and evolving topics

In addition to the above established concepts members also discussed several topics that are still evolving.


The committee recently began to develop a set of metrics that could be used to assess progress against many aspects of the standards. This material will appear in the form of the 62443-1-3 document.

Protection levels

There was a proposal to define 'protection levels' to provide additional guidance on the application of the standards. This proposal was developed by a group that has been working with the German National Committee and is being offered to the ISA99 committee for use in the 62443 series.

There was a consensus that this subject should be assigned to a new task group for further development. This work is scheduled to begin in September and volunteers are currently being solicited.

Risk assessment

Risk assessment is also an important element of an effective cybersecurity management system. Attendees reviewed and discussed a proposed methodology included in the current draft of the 62443-3-2 standard. Additional comments and feedback will be collected as part of the formal review and comment process.

Implications for stakeholders

The stakeholder community for the 62443 standards on industrial control systems security include suppliers, integrators, and asset owners across a broad range of industries. Each of these groups has different levels of interest in and applicability for the various types of standards in the series.

Those interested in learning more about the information contained in the 62443 standards will soon have available several new drafts for review and comments, as well as completed and published standards and reports in areas such as risk assessment and patch management.

These standards can be applied now to design, configure, operate, and maintain industrial control systems. Application assistance is available in the form of a series of training courses available from ISA.

As the full set of normative requirements and informative guidance become available, the committee’s attention will begin to shift to develop additional tools such as metrics and use cases. These will be also become valuable resources to those applying the standards.

For more information contact Paul Miller, ARC Advisory Group, +1 781 471 1141,,

Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Mitigate industrial network vulnerabilities
July 2021, RJ Connect , IT in Manufacturing
It must not be forgotten that ignoring common system vulnerabilities in today’s world could put your entire network at risk.

Digital transformation in mining
July 2021 , IT in Manufacturing
Rapid advances in technology have disrupted industries and businesses around the world, which are now being forced to accept this new reality rather quickly because the new technologies have tremendous potential to deliver value for those who adopt them.

Digital twins require accurate and reliable data to be effective
July 2021 , IT in Manufacturing
At the 25th ARC Industry Forum, hosted virtually, many industry experts gave their perspectives on accelerating digital transformation in the post-Covid world.

Frequency analysis without programming requirements
July 2021, Beckhoff Automation , IT in Manufacturing
Beckhoff expands TwinCAT Analytics with easy-to-configure condition monitoring functions.

Siemens adds AI to Simcenter
July 2021, Siemens Digital Industries , IT in Manufacturing
Siemens Digital Industries Software has announced the latest release of Simcenter Studio software, a web application dedicated to discovering better system architectures, faster. Simcenter Studio offers ...

ABB technology can help make SA steel industry competitive
June 2021, ABB South Africa , IT in Manufacturing
South Africa’s steel industry needs to invest in technology like automation and data analytics if it is to improve its productivity to the point where it is globally competitive.

Siemens expands CFD simulations
June 2021, Siemens Digital Industries , IT in Manufacturing
Siemens’ Simcenter portfolio expands capabilities for frontloading computational fluid dynamics (CFD) simulation and increased productivity.

Digital twin for refinery production
June 2021, Yokogawa South Africa , IT in Manufacturing
Within Repsol’s Industrial Business, the development of a refinery digital twin leads the digitalisation program. The digital twin maximises production while optimising energy consumption.

Building secure networks
June 2021, RJ Connect , IT in Manufacturing
This article explores how to build resilient industrial networks and deploy cybersecurity defences in order to sustain continuous industrial operations.

Improving the state of OT cybersecurity by sharing experiences
June 2021 , IT in Manufacturing
It is essential that we view improvements in cybersecurity as requiring improvements in multiple areas, including people and skills development, governance and process development and improved technology.