IT in Manufacturing


ISA99 committee advances ­cybersecurity standards

October 2015 IT in Manufacturing

The ISA99 committee on industrial auto­mation and control systems (IACS) cyber­security has primary responsibility for ­developing the ISA/IEC 62443 series of standards on this subject.

The committee recently held a series of working meetings in Frankfurt, Germany to assess the current status of the standards and confirm plans for future work. This included discussions related to several of the fundamental concepts that form the basis for the ISA 62443 series of standards.

This committee, formed in 2002 to develop standards and practices related to defining and applying industrial automation and control systems (IACS) cybersecurity, subsequently entered into a liaison relationship with the Technical Committee 65 of the International Electrotechnical Commission (IEC) with the understanding that any standards developed would be issued by both ISA and IEC.

The 62443 series

This collaboration led to the identification of a series of standards and technical reports, each addressing a specific aspect of the subject. Once approved, each document is published as both an ANSI/ISA and IEC standard or specification.

Several of these documents have been published and are available from ISA and IEC and several more exist in draft form. A summary of the current status of the various work products can be found on the committee website (http://isa99.isa.org).

The series components are organised into four tiers, each addressing a specific group of users and stakeholders. The top or first tier includes standards and technical reports that are intended for the general audience. The second tier includes documents that address the policies and procedures associated with an ICS security management system. The standards and reports in the second and third tiers address specific requirements for ICS systems and components.

Recent developments

Several documents in the 62443 series have been formally published or are about to be released to the committee for comment or vote. Recent publications include:

• 62443-2-3: Patch Management in the IACS Environment.

• 62443-2-4: Requirements for IACS Solutions Providers.

Documents that have recently been circulated for review and comment include:

• 62443-4-1: Product Development Requirements.

• 62443-4-2: Technical Security Requirements for IACS Components.

Finally, the following draft documents will soon be issued to the committee for review and approval:

• 62443-1-3: System Security Metrics.

• 62443-3-2: Security Risk Assessment and System Design.

Fundamental concepts

Several fundamental concepts form the basis for the 62443 series. The second edition of the 62443-1-1 standard will introduce each concept, which will be further detailed and applied in the remaining standards in the series.

Over the course of the Frankfurt meetings, those present reviewed several of these concepts and reaffirmed their importance as key elements of the series. Any inconsistencies across the standards were noted and will be addressed in subsequent editions.

The design, development, implementation, and operation of industrial control systems take place in the context of a set of intersecting life cycles, each addressing a specific set of activities and involving particular contributors.

The product development life cycle is primarily the responsibility of the product or system supplier. Integration and com­missioning are the focus of system integrators. Operation and maintenance are the responsibility of the asset owner.

Collectively, these life cycles provide the context for gathering the requirements and subsequently developing secure products, systems, and solutions.

Applying the zones and conduits concept is an essential first step in risk assessment and system design. The 62443-3-2 standard on this subject will soon be circulated to the committee for review and approval, with review by the broader IEC community to follow soon after.

New and evolving topics

In addition to the above established concepts members also discussed several topics that are still evolving.

Metrics

The committee recently began to develop a set of metrics that could be used to assess progress against many aspects of the standards. This material will appear in the form of the 62443-1-3 document.

Protection levels

There was a proposal to define 'protection levels' to provide additional guidance on the application of the standards. This proposal was developed by a group that has been working with the German National Committee and is being offered to the ISA99 committee for use in the 62443 series.

There was a consensus that this subject should be assigned to a new task group for further development. This work is scheduled to begin in September and volunteers are currently being solicited.

Risk assessment

Risk assessment is also an important element of an effective cybersecurity management system. Attendees reviewed and discussed a proposed methodology included in the current draft of the 62443-3-2 standard. Additional comments and feedback will be collected as part of the formal review and comment process.

Implications for stakeholders

The stakeholder community for the 62443 standards on industrial control systems security include suppliers, integrators, and asset owners across a broad range of industries. Each of these groups has different levels of interest in and applicability for the various types of standards in the series.

Those interested in learning more about the information contained in the 62443 standards will soon have available several new drafts for review and comments, as well as completed and published standards and reports in areas such as risk assessment and patch management.

These standards can be applied now to design, configure, operate, and maintain industrial control systems. Application assistance is available in the form of a series of training courses available from ISA.

As the full set of normative requirements and informative guidance become available, the committee’s attention will begin to shift to develop additional tools such as metrics and use cases. These will be also become valuable resources to those applying the standards.

For more information contact Paul Miller, ARC Advisory Group, +1 781 471 1141, [email protected], www.arcweb.com





Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Transforming battery manufacturing processes
IT in Manufacturing
Siemens and Hirano Tecseed, a Japanese machine builder, are partnering to transform battery manufacturing processes.

Read more...
From Trojan takeovers to ransomware roulette
IT in Manufacturing
Cisco’s Cyber Threat Trends Report offers a comprehensive and overview of the evolving cybersecurity landscape, leveraging its vast global reach through the analysis of DNS traffic.

Read more...
The road to decarbonisation in mining
IT in Manufacturing
The mining industry is a key player in global carbon emissions, and ABB’s eMine is at the forefront of efforts to drive the sector’s decarbonisation.

Read more...
Siemens democratises AI-driven PCB design for small and medium electronics teams
Siemens South Africa IT in Manufacturing
Siemens Digital Industries Software is making its AI-enhanced electronic systems design technology more accessible to small and mid-sized businesses with PADS Pro Essentials software and Xpedition Standard software.

Read more...
Siemens’ PAVE360 to support new Arm Zena Compute Subsystems
IT in Manufacturing
Siemens Digital Industries Software is expanding its longstanding relationship with Arm and adding support for the newly launched Arm Zena Compute Subsystems in its PAVE360 software, designed for software-defined vehicles

Read more...
Empowering OEMs in industrial automation
Schneider Electric South Africa IT in Manufacturing
Organisations are increasingly focusing on empowering OEMs within the industrial automation sector

Read more...
Fortifying the state in a time of cyber siege
IT in Manufacturing
In an era where borders are no longer physical, South Africa is being drawn into a new kind of conflict, one fought not with tanks and missiles, but with lines of code and silent intrusions. The digital battlefield is here, and cyber space has become the next frontier of conflict.

Read more...
Levelling up workplace safety - how gamification is changing the rules of training
IT in Manufacturing
Despite the best intentions, traditional safety training often falls short, with curricula either being too generic, too passive, or ultimately unmemorable. Enter gamification, a shift in training that is redefining how businesses train for safety and live by those principles.

Read more...
Reinventing data centre design: critical changes to meet surging
Schneider Electric South Africa IT in Manufacturing
AI technologies are pushing the boundaries of what is possible which, in turn, is presenting data centres with a whole new set of challenges. Fortunately, several options are emerging which include optimising design and infrastructure for efficiency, cooling and management systems

Read more...
Watts next - can IT save the planet
IT in Manufacturing
The digital age’s insatiable demand for computing power has collided with an urgent and pressing need for sustainability. As data centres and AI workloads consume unprecedented energy, IT providers are pivotal in redefining how technology intersects with environmental stewardship.

Read more...









While every effort has been made to ensure the accuracy of the information contained herein, the publisher and its agents cannot be held responsible for any errors contained, or any loss incurred as a result. Articles published do not necessarily reflect the views of the publishers. The editor reserves the right to alter or cut copy. Articles submitted are deemed to have been cleared for publication. Advertisements and company contact details are published as provided by the advertiser. Technews Publishing (Pty) Ltd cannot be held responsible for the accuracy or veracity of supplied material.




© Technews Publishing (Pty) Ltd | All Rights Reserved