The ISA99 committee on industrial automation and control systems (IACS) cybersecurity has primary responsibility for developing the ISA/IEC 62443 series of standards on this subject.
The committee recently held a series of working meetings in Frankfurt, Germany to assess the current status of the standards and confirm plans for future work. This included discussions related to several of the fundamental concepts that form the basis for the ISA 62443 series of standards.
This committee, formed in 2002 to develop standards and practices related to defining and applying industrial automation and control systems (IACS) cybersecurity, subsequently entered into a liaison relationship with the Technical Committee 65 of the International Electrotechnical Commission (IEC) with the understanding that any standards developed would be issued by both ISA and IEC.
The 62443 series
This collaboration led to the identification of a series of standards and technical reports, each addressing a specific aspect of the subject. Once approved, each document is published as both an ANSI/ISA and IEC standard or specification.
Several of these documents have been published and are available from ISA and IEC and several more exist in draft form. A summary of the current status of the various work products can be found on the committee website (http://isa99.isa.org).
The series components are organised into four tiers, each addressing a specific group of users and stakeholders. The top or first tier includes standards and technical reports that are intended for the general audience. The second tier includes documents that address the policies and procedures associated with an ICS security management system. The standards and reports in the second and third tiers address specific requirements for ICS systems and components.
Several documents in the 62443 series have been formally published or are about to be released to the committee for comment or vote. Recent publications include:
• 62443-2-3: Patch Management in the IACS Environment.
• 62443-2-4: Requirements for IACS Solutions Providers.
Documents that have recently been circulated for review and comment include:
• 62443-4-1: Product Development Requirements.
• 62443-4-2: Technical Security Requirements for IACS Components.
Finally, the following draft documents will soon be issued to the committee for review and approval:
• 62443-1-3: System Security Metrics.
• 62443-3-2: Security Risk Assessment and System Design.
Several fundamental concepts form the basis for the 62443 series. The second edition of the 62443-1-1 standard will introduce each concept, which will be further detailed and applied in the remaining standards in the series.
Over the course of the Frankfurt meetings, those present reviewed several of these concepts and reaffirmed their importance as key elements of the series. Any inconsistencies across the standards were noted and will be addressed in subsequent editions.
The design, development, implementation, and operation of industrial control systems take place in the context of a set of intersecting life cycles, each addressing a specific set of activities and involving particular contributors.
The product development life cycle is primarily the responsibility of the product or system supplier. Integration and commissioning are the focus of system integrators. Operation and maintenance are the responsibility of the asset owner.
Collectively, these life cycles provide the context for gathering the requirements and subsequently developing secure products, systems, and solutions.
Applying the zones and conduits concept is an essential first step in risk assessment and system design. The 62443-3-2 standard on this subject will soon be circulated to the committee for review and approval, with review by the broader IEC community to follow soon after.
New and evolving topics
In addition to the above established concepts members also discussed several topics that are still evolving.
The committee recently began to develop a set of metrics that could be used to assess progress against many aspects of the standards. This material will appear in the form of the 62443-1-3 document.
There was a proposal to define 'protection levels' to provide additional guidance on the application of the standards. This proposal was developed by a group that has been working with the German National Committee and is being offered to the ISA99 committee for use in the 62443 series.
There was a consensus that this subject should be assigned to a new task group for further development. This work is scheduled to begin in September and volunteers are currently being solicited.
Risk assessment is also an important element of an effective cybersecurity management system. Attendees reviewed and discussed a proposed methodology included in the current draft of the 62443-3-2 standard. Additional comments and feedback will be collected as part of the formal review and comment process.
Implications for stakeholders
The stakeholder community for the 62443 standards on industrial control systems security include suppliers, integrators, and asset owners across a broad range of industries. Each of these groups has different levels of interest in and applicability for the various types of standards in the series.
Those interested in learning more about the information contained in the 62443 standards will soon have available several new drafts for review and comments, as well as completed and published standards and reports in areas such as risk assessment and patch management.
These standards can be applied now to design, configure, operate, and maintain industrial control systems. Application assistance is available in the form of a series of training courses available from ISA.
As the full set of normative requirements and informative guidance become available, the committee’s attention will begin to shift to develop additional tools such as metrics and use cases. These will be also become valuable resources to those applying the standards.
© Technews Publishing (Pty) Ltd | All Rights Reserved