ISA/IEC 62443: What does it mean to you?

By Soroush Tazerji | ISA/IEC 62443 Cybersecurity Expert | June 2022

ISA/IEC 62443, formally known as ISA 99, is a series of international standards, specifications and technical
reports that were purpose-built to address security issues unique to Industrial Automation and Control
Systems (IACS) and Operational Technology (OT). It has become the leading industrial cybersecurity
standard for all types of plants, facilities and systems across industries, from manufacturing and processing
plants to energy suppliers and rail.
Because the topic is so broad, a single document discussing all facets of risk analysis, design, operation, and
maintenance was not practical. Instead, multiple documents were created that provide both normative
requirements and supporting guidance on securing OT systems across a lifecycle and defining specific
responsibilities and accountability for all roles, including asset owners, system integrators, suppliers, and
service providers. But how can various roles share the responsibilities through ISA/IEC 62443 cybersecurity
lifecycle? And how can you use the ISA/IEC 62443 based on your role?

Tactix – Cybersecurity Tip Sheet 1

ISA/IEC 62443 Structure

The ISA/IEC 62443 series of standards is made up of 14 work products including Standards, Technical
Specifications and Technical Reports categorized into the following four tiers:

Tier 1: General, provides an overview of the industrial security process and introduces essential concepts;
Tier 2: Policies and Procedures, highlights the importance of policies as even the best security system is
useless if people are not trained and committed to support it.
Tier 3: Systems, provides essential guidance for designing and implementing secure systems.
Tier 4: Components, describes the requirements that must be met for secured industrial components.

Some parts of ISA/IEC 62443 standrds are not published yet as ISA/IEC standards are on five year update
cycle. Table 1 shows the complete list of the current version of ISA/IEC 62443 standards and technical
reports based on their types.

Table 1 - ISA/IEC 62443 Series Structure

Part Title Type Latest Release /

Status
1-1 Terminology, Concepts and Models Technical Specification 2007
1-2 Master glossary of terms and abbreviations Technical Report In Development
General Development
1-3 System cybersecurity conformance metrics International Standard
Planned
1-4 IACS security lifecycle and use cases Technical Report In Development
2-1 Establishing an IACS security program International Standard 2009
2-2 IACS security program ratings International Standard Under review
Policies & 2-3 Patch managemet in the IACS environment Technical Report 2015
Procedures
2-4 Security program requriements for IACS service providers International Standard 2018
Development
2-5 Implementing guidance for IACS asset owners Technical Report
Planned
3-1 Security technologies for IACS Technical Report 2009
Systems 3-2 Security risk assessment for system design International Standard 2020
3-3 System security requirements and security levles International Standard 2013
4-1 Product security development lifecycle requirments International Standard 2018
Component
4-2 Technical security requirments for IACS components International Standard 2019

Prinicpal Roles

The ISA/IEC 62443 standard targets a wide range of people, from suppliers to integrators and asset
owners. To establish a robust and effective OT cybersecurity program, all stakeholders must share
responsibility during all phases of the OT cybersecurity life cycle.

Asset Owner is accountable for the cybersecurity risk of the IACS and responsible for the operation and
maintenance of systems. Asset owner may engage a Service provider with maintnenance capability that
provides support activities for an Automation Solution.

Product Suppliers are responsible for developing and distributing secure by design components, including
Control Systems, Embedded Devices, Host Devices, Network Devices, and/or Software Applications.

Tactix – Cybersecurity Tip Sheet 2

System Integrator is responsible for integration activities for an Automation Solution including design,
installation, configuration, testing, commissioning, and handover to the Asset Owner.

The relashionship between principal roles and the IACS is shown in Figure 1.

Figure 1 ISA/IEC 62443 roles and responsibilities

Lifecycle View
Like many other standards about control systems for industrial applications, the ISA/IEC 62443 series
employs a lifecycle approach to structure the tasks that must be accomplished, the inputs and outputs from
those tasks, and the requirements that those tasks must achieve.

There are two independent lifecycles described in the series: The Automation Solution Security Lifecycle
and the Product Security Lifecycle. The Automation Solution Security Lifecycle is further divided into an
Integration Phase and an Operation and Maintenance Phase. Table 2 shows the relationship between the
Parts of the ISA/IEC 62443 Series and the various lifecycles and phases.

Table 2 - ISA/IEC 62443 Lifecycle

Automation Solution Security Lifecycle Product Security Lifecycle

Integration Operation and Maintenance
Specification Design Implementation V&V Operation Maintenance Decommissioning

Automation Solution Security Lifecycle

Automation Solution Security Lifecycle specifies the technical and administrative security measures in a
particular facility and includes the following phases:
 Risk Assessment and Specification, includes identifying the System under Consideration (SuC),
performing an initial high-level risk assessment, and partitioning the System into security zones and
conduits. The result of this process is the Target Security Levels for each Zone and Conduit in the
SuC.
 Design, determines the SuC and includes technical security measures (based on Security Levels)
and Organisational security measures. Cybersecurity Requirement Specifictaion (CSRS) is the key
deliverable from this phase that must be approved by Asset Owners before starting

Tactix – Cybersecurity Tip Sheet 3

 implementation.
 Implementation, is when the technical security measures specified in CSRS are implemented in
IACS.
 Verification & Validation (V&V) , is when the IACS is tested to ensure that the technical and
organizational security measures meet the security requirements specified in the CSRS. There are
two main types of cybersecurity testing, Cybersecurity Factory Acceptance Test (CFAT) and
Cybersecurity Site Acceptance Test (CSAT). Handover of the IACS to Asset Owner is the last step in
V&V phase. Credentials should be changed before an IACS is put into operation.
 Operation, is when the IACS is placed into service and all of the organizational and technical
security measures are executed. Technical and organizational security measures and associated
IACS risk assessment must be periodically reviewed and updated.
 Maintenance, is triggered by Operations requests or the monitoring of security threats and security
vulnerabilities. Changes to address security threats or vulnerabilities must be implemented through
Management of Change process that includes risk assessment.
 Decommissioning, can be triggered by a maintenance activity or by major upgrade or at the end of
the project. In either case, the decommissioning must be done in such a way that the Asset
Owner’s on-going operations are not compromised. IACS sensitive data must be destructed or
purged at this phase.

The security program must be established and maintained throughout the entire Automation Solution
Security Lifecycle. The Automation Solution Security Lifecycle is shown Figure 2 alongside with roles and
key activity of each phase.

Figure 2 Automation Solution Security Lifecycle

Tactix – Cybersecurity Tip Sheet 4

Product Security Lifecycle

The Product Security Lifecycle specifies the security requirements used to design, develop, and support
IACS products including secure by design aspects and secure implementation. The integration of
comprehensive security controls such as design review, threat modeling, security verification & validation
testing, and security update management into the product lifecycle ensures that the risks are identified and
an appropriate mitigation is provided prior to the product release.

Part 4-1 describes process security requirements (e.g., policies and procedures) for the Security Lifecycle of
IACS System and Component product development and support. Part 4-2 specifies the technical security
requirements for IACS components based on Security Levels that allow the Product Supplier to deliver and
support a product. The prinicpal audience of these two parts are the Product Suppliers of the IACS system
and component products.

The product security lifecycle is orgonised around eight practices as listed below:
 Security management, intended to ensure that security related activities are adequately planned,
documented and executed through the product’s lifecycle.
 Specification of security requirements, intended to define and document the security capabilities
of the product and the expected product security context.
 Secure by design, intended to ensure that the appropriate security considerations have been
included throughout the specification and design phases of product development, based on the
defense in depth strategy.
 Secure implementation, intended to ensure that product functionality and security measures are
implemented securely.
 Security verification and validation testing, intended to ensure that the security requirements
have been met for the product, and security of the product is maintained when it is used in its
security context and configured according to the defense in depth strategy.
 Managment of security related issues, are used for handling security-related issues of a product
that has been configured to employ its defense in depth strategy within the product security
context.
 Security update management, intended to ensure security updates associated with the products
are tested for regressions and made available to product users in a timely manner.
 Security guidelines, intended to provide user documentation that describes how to integrate,
configure, and maintain the defense in depth strategy of the product in accordance with its product
security context.

Summary

The ISA/IEC 62443 standards are the most comprehensive and exhaustive cybersecurity standards available
to the critical infrastructure domains and industrial sectors, which describe cybersecurity reference
architectures, direction for security lifecycles, processes, requirements, technology, controls, testing,
product development and a cybersecurity management system. These standards provide a set of common
terms and requirements that can be used by Asset Owners, Product Suppliers and Service Providers to
secure their industrial automation and control systems and the equipment they control.

To understand how to use the ISA/IEC 62443 Series it is first necessary to understand the relationship
between roles that are identified in these standards. Therefore development of a cybersecurity framweork
and Term of Refernce (TOR) early in the project is one of the most important project success factors.

If you need any further information please contact our Security team using the contact page.

Tactix – Cybersecurity Tip Sheet 5

For more information:
If you would like to discuss or require further
information regarding this document or how Tactix can
assist with your Cybersecurity Advisory & Assurance
needs, please do not hesitate to get in touch and email
us at security@tactix.com.au .