A recently published standard has been adopted globally to address risks arising from the use of business information technology (IT) cybersecurity solutions to address industrial automation and control systems (IACS) cybersecurity in complex and dangerous manufacturing and processing applications.
The ISA-62443 series of standards, being developed by the ISA99 committee of the International Society of Automation (ISA) and adopted globally by the International Electrotechnical Commission (IEC) is designed to provide a flexible framework to address and mitigate current and future vulnerabilities in IACS. The latest published standard in the series is ISA-62443-3-3-2013, Security for Industrial Automation and Control Systems Part 3-3: System Security Requirements and Security Levels.
IACS security goals typically focus on control system availability, plant protection, plant operations, and time-critical system response. IT security goals, in contrast, often focus more on protecting information than physical assets. For this reason, the ISA says, use of IT cybersecurity solutions to address IACS security must be implemented knowledgably to prevent unintended vulnerabilities that could lead to potentially disastrous health, safety, environmental, financial, and/or reputational impacts in deployed control systems.
The new ISA99 standard addresses this concern with an approach to defining system requirements that is based on a combination of functional requirements and risk assessment as well as an awareness of operational issues. The standard provides detailed technical control system requirements associated with seven foundational requirements described in the first ISA99 standard, ISA‑62443‑1‑1 (99.01.01), including defining the requirements for control system capability security levels. Those responsible for IACS cybersecurity will use these requirements in developing the appropriate control system target security levels for specific assets.
The ISA99 committee says it drew on the input and knowledge of IACS security experts from around the globe because, unlike programs targeted at a single industry, ISA99 is applicable to all industry sectors and critical infrastructure in recognition of the interrelated nature of industrial computer networks in which cyber vulnerabilities exploited in one sector can impact multiple sectors and infrastructure.
ANSI/ISA-62443-3-3-2013 was approved as an American National Standard on August 13, 2013. An essentially identical version will be published by the IEC later this year as IEC 62443-3-3.
The standard is available at www.isa.org/findstandards (select ‘62443’ from the drop-down list and scroll down) or by calling 919-990-9200.
Sources: POWER, ISA
—Gail Reitenbach, PhD, Editor (@POWERmagazine, @GailReit)