Professional Documents
Culture Documents
ISA/IEC 62443, formally known as ISA 99, is a series of international standards, specifications and technical
reports that were purpose-built to address security issues unique to Industrial Automation and Control
Systems (IACS) and Operational Technology (OT). It has become the leading industrial cybersecurity
standard for all types of plants, facilities and systems across industries, from manufacturing and processing
plants to energy suppliers and rail.
Because the topic is so broad, a single document discussing all facets of risk analysis, design, operation, and
maintenance was not practical. Instead, multiple documents were created that provide both normative
requirements and supporting guidance on securing OT systems across a lifecycle and defining specific
responsibilities and accountability for all roles, including asset owners, system integrators, suppliers, and
service providers. But how can various roles share the responsibilities through ISA/IEC 62443 cybersecurity
lifecycle? And how can you use the ISA/IEC 62443 based on your role?
The ISA/IEC 62443 series of standards is made up of 14 work products including Standards, Technical
Specifications and Technical Reports categorized into the following four tiers:
Tier 1: General, provides an overview of the industrial security process and introduces essential concepts;
Tier 2: Policies and Procedures, highlights the importance of policies as even the best security system is
useless if people are not trained and committed to support it.
Tier 3: Systems, provides essential guidance for designing and implementing secure systems.
Tier 4: Components, describes the requirements that must be met for secured industrial components.
Some parts of ISA/IEC 62443 standrds are not published yet as ISA/IEC standards are on five year update
cycle. Table 1 shows the complete list of the current version of ISA/IEC 62443 standards and technical
reports based on their types.
Prinicpal Roles
The ISA/IEC 62443 standard targets a wide range of people, from suppliers to integrators and asset
owners. To establish a robust and effective OT cybersecurity program, all stakeholders must share
responsibility during all phases of the OT cybersecurity life cycle.
Asset Owner is accountable for the cybersecurity risk of the IACS and responsible for the operation and
maintenance of systems. Asset owner may engage a Service provider with maintnenance capability that
provides support activities for an Automation Solution.
Product Suppliers are responsible for developing and distributing secure by design components, including
Control Systems, Embedded Devices, Host Devices, Network Devices, and/or Software Applications.
The relashionship between principal roles and the IACS is shown in Figure 1.
Lifecycle View
Like many other standards about control systems for industrial applications, the ISA/IEC 62443 series
employs a lifecycle approach to structure the tasks that must be accomplished, the inputs and outputs from
those tasks, and the requirements that those tasks must achieve.
There are two independent lifecycles described in the series: The Automation Solution Security Lifecycle
and the Product Security Lifecycle. The Automation Solution Security Lifecycle is further divided into an
Integration Phase and an Operation and Maintenance Phase. Table 2 shows the relationship between the
Parts of the ISA/IEC 62443 Series and the various lifecycles and phases.
The security program must be established and maintained throughout the entire Automation Solution
Security Lifecycle. The Automation Solution Security Lifecycle is shown Figure 2 alongside with roles and
key activity of each phase.
The Product Security Lifecycle specifies the security requirements used to design, develop, and support
IACS products including secure by design aspects and secure implementation. The integration of
comprehensive security controls such as design review, threat modeling, security verification & validation
testing, and security update management into the product lifecycle ensures that the risks are identified and
an appropriate mitigation is provided prior to the product release.
Part 4-1 describes process security requirements (e.g., policies and procedures) for the Security Lifecycle of
IACS System and Component product development and support. Part 4-2 specifies the technical security
requirements for IACS components based on Security Levels that allow the Product Supplier to deliver and
support a product. The prinicpal audience of these two parts are the Product Suppliers of the IACS system
and component products.
The product security lifecycle is orgonised around eight practices as listed below:
Security management, intended to ensure that security related activities are adequately planned,
documented and executed through the product’s lifecycle.
Specification of security requirements, intended to define and document the security capabilities
of the product and the expected product security context.
Secure by design, intended to ensure that the appropriate security considerations have been
included throughout the specification and design phases of product development, based on the
defense in depth strategy.
Secure implementation, intended to ensure that product functionality and security measures are
implemented securely.
Security verification and validation testing, intended to ensure that the security requirements
have been met for the product, and security of the product is maintained when it is used in its
security context and configured according to the defense in depth strategy.
Managment of security related issues, are used for handling security-related issues of a product
that has been configured to employ its defense in depth strategy within the product security
context.
Security update management, intended to ensure security updates associated with the products
are tested for regressions and made available to product users in a timely manner.
Security guidelines, intended to provide user documentation that describes how to integrate,
configure, and maintain the defense in depth strategy of the product in accordance with its product
security context.
Summary
The ISA/IEC 62443 standards are the most comprehensive and exhaustive cybersecurity standards available
to the critical infrastructure domains and industrial sectors, which describe cybersecurity reference
architectures, direction for security lifecycles, processes, requirements, technology, controls, testing,
product development and a cybersecurity management system. These standards provide a set of common
terms and requirements that can be used by Asset Owners, Product Suppliers and Service Providers to
secure their industrial automation and control systems and the equipment they control.
To understand how to use the ISA/IEC 62443 Series it is first necessary to understand the relationship
between roles that are identified in these standards. Therefore development of a cybersecurity framweork
and Term of Refernce (TOR) early in the project is one of the most important project success factors.
If you need any further information please contact our Security team using the contact page.