IT in Manufacturing


ISA99 committee advances ­cybersecurity standards

October 2015 IT in Manufacturing

The ISA99 committee on industrial auto­mation and control systems (IACS) cyber­security has primary responsibility for ­developing the ISA/IEC 62443 series of standards on this subject.

The committee recently held a series of working meetings in Frankfurt, Germany to assess the current status of the standards and confirm plans for future work. This included discussions related to several of the fundamental concepts that form the basis for the ISA 62443 series of standards.

This committee, formed in 2002 to develop standards and practices related to defining and applying industrial automation and control systems (IACS) cybersecurity, subsequently entered into a liaison relationship with the Technical Committee 65 of the International Electrotechnical Commission (IEC) with the understanding that any standards developed would be issued by both ISA and IEC.

The 62443 series

This collaboration led to the identification of a series of standards and technical reports, each addressing a specific aspect of the subject. Once approved, each document is published as both an ANSI/ISA and IEC standard or specification.

Several of these documents have been published and are available from ISA and IEC and several more exist in draft form. A summary of the current status of the various work products can be found on the committee website (http://isa99.isa.org).

The series components are organised into four tiers, each addressing a specific group of users and stakeholders. The top or first tier includes standards and technical reports that are intended for the general audience. The second tier includes documents that address the policies and procedures associated with an ICS security management system. The standards and reports in the second and third tiers address specific requirements for ICS systems and components.

Recent developments

Several documents in the 62443 series have been formally published or are about to be released to the committee for comment or vote. Recent publications include:

• 62443-2-3: Patch Management in the IACS Environment.

• 62443-2-4: Requirements for IACS Solutions Providers.

Documents that have recently been circulated for review and comment include:

• 62443-4-1: Product Development Requirements.

• 62443-4-2: Technical Security Requirements for IACS Components.

Finally, the following draft documents will soon be issued to the committee for review and approval:

• 62443-1-3: System Security Metrics.

• 62443-3-2: Security Risk Assessment and System Design.

Fundamental concepts

Several fundamental concepts form the basis for the 62443 series. The second edition of the 62443-1-1 standard will introduce each concept, which will be further detailed and applied in the remaining standards in the series.

Over the course of the Frankfurt meetings, those present reviewed several of these concepts and reaffirmed their importance as key elements of the series. Any inconsistencies across the standards were noted and will be addressed in subsequent editions.

The design, development, implementation, and operation of industrial control systems take place in the context of a set of intersecting life cycles, each addressing a specific set of activities and involving particular contributors.

The product development life cycle is primarily the responsibility of the product or system supplier. Integration and com­missioning are the focus of system integrators. Operation and maintenance are the responsibility of the asset owner.

Collectively, these life cycles provide the context for gathering the requirements and subsequently developing secure products, systems, and solutions.

Applying the zones and conduits concept is an essential first step in risk assessment and system design. The 62443-3-2 standard on this subject will soon be circulated to the committee for review and approval, with review by the broader IEC community to follow soon after.

New and evolving topics

In addition to the above established concepts members also discussed several topics that are still evolving.

Metrics

The committee recently began to develop a set of metrics that could be used to assess progress against many aspects of the standards. This material will appear in the form of the 62443-1-3 document.

Protection levels

There was a proposal to define 'protection levels' to provide additional guidance on the application of the standards. This proposal was developed by a group that has been working with the German National Committee and is being offered to the ISA99 committee for use in the 62443 series.

There was a consensus that this subject should be assigned to a new task group for further development. This work is scheduled to begin in September and volunteers are currently being solicited.

Risk assessment

Risk assessment is also an important element of an effective cybersecurity management system. Attendees reviewed and discussed a proposed methodology included in the current draft of the 62443-3-2 standard. Additional comments and feedback will be collected as part of the formal review and comment process.

Implications for stakeholders

The stakeholder community for the 62443 standards on industrial control systems security include suppliers, integrators, and asset owners across a broad range of industries. Each of these groups has different levels of interest in and applicability for the various types of standards in the series.

Those interested in learning more about the information contained in the 62443 standards will soon have available several new drafts for review and comments, as well as completed and published standards and reports in areas such as risk assessment and patch management.

These standards can be applied now to design, configure, operate, and maintain industrial control systems. Application assistance is available in the form of a series of training courses available from ISA.

As the full set of normative requirements and informative guidance become available, the committee’s attention will begin to shift to develop additional tools such as metrics and use cases. These will be also become valuable resources to those applying the standards.

For more information contact Paul Miller, ARC Advisory Group, +1 781 471 1141, [email protected], www.arcweb.com





Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Fortifying the state in a time of cyber siege
IT in Manufacturing
In an era where borders are no longer physical, South Africa is being drawn into a new kind of conflict, one fought not with tanks and missiles, but with lines of code and silent intrusions. The digital battlefield is here, and cyber space has become the next frontier of conflict.

Read more...
Levelling up workplace safety - how gamification is changing the rules of training
IT in Manufacturing
Despite the best intentions, traditional safety training often falls short, with curricula either being too generic, too passive, or ultimately unmemorable. Enter gamification, a shift in training that is redefining how businesses train for safety and live by those principles.

Read more...
Reinventing data centre design: critical changes to meet surging
Schneider Electric South Africa IT in Manufacturing
AI technologies are pushing the boundaries of what is possible which, in turn, is presenting data centres with a whole new set of challenges. Fortunately, several options are emerging which include optimising design and infrastructure for efficiency, cooling and management systems

Read more...
Watts next - can IT save the planet
IT in Manufacturing
The digital age’s insatiable demand for computing power has collided with an urgent and pressing need for sustainability. As data centres and AI workloads consume unprecedented energy, IT providers are pivotal in redefining how technology intersects with environmental stewardship.

Read more...
South Africa’s digital revolution:
IT in Manufacturing
South Africa stands at a pivotal moment in its technological evolution, poised to redefine itself as Africa’s leading digital powerhouse. Over the past two years, political leaders and media narratives have painted a picture of rapid digital transformation, underscoring the government’s ambition to position South Africa at the forefront of innovation.

Read more...
Smart manufacturing, APC and the SA marketplace
Schneider Electric South Africa IT in Manufacturing
Manufacturers are prioritising the integration of smart technologies into their daily operations to stay one step ahead of the competition. In South Africa, some experts believe the country has the potential to leapfrog its global peers through the creation of smart factories.

Read more...
Schneider Electric’s Five-Pillar Strategy takes the guesswork out of equip
Schneider Electric South Africa IT in Manufacturing
Schneider Electric’s Field Service Cycle, otherwise known as the Five-Pillar Strategy, is a structured approach to managing the lifecycle of equipment to prolong asset lifespan while reducing the total cost of ownership for customers.

Read more...
Enhancing operational safety and efficiency through advanced risk-based modelling
IT in Manufacturing
Now, more than ever, capital and operational cost can be reduced while enhancing operational safety and increasing production uptime by applying transformative methods such as Computational Fluid Dynamics modelling.

Read more...
Laying the groundwork in IT/OT
IT in Manufacturing
In the realm of manufacturing, the core mandate is to deliver value to stakeholders. For many in the industry, this is best achieved through a risk-averse approach. Only upon establishing a robust foundation should a business consider venturing into advanced optimisation or cutting-edge technological innovations such as industrial AI.

Read more...
Looking into the future of machine vision
Omron Electronics IT in Manufacturing
Artificial intelligence (AI) is driving a significant transformation in all areas of industrial automation, and machine vision is no exception. Omron’s AI-powered machine vision systems seamlessly integrate state-of-the-art algorithms, enabling machines to analyse and interpret visual data meticulously.

Read more...









While every effort has been made to ensure the accuracy of the information contained herein, the publisher and its agents cannot be held responsible for any errors contained, or any loss incurred as a result. Articles published do not necessarily reflect the views of the publishers. The editor reserves the right to alter or cut copy. Articles submitted are deemed to have been cleared for publication. Advertisements and company contact details are published as provided by the advertiser. Technews Publishing (Pty) Ltd cannot be held responsible for the accuracy or veracity of supplied material.




© Technews Publishing (Pty) Ltd | All Rights Reserved