Attacks and vulnerabilities involving industrial control systems (ICS) have been on the rise in recent years. For instance, Kaspersky revealed that attacks targeting ICS systems had increased 62% over the second half of 2020. It was a similar story in H1 2021 when BetaNews reported a 41% increase in the volume of ICS vulnerabilities. (ICS weaknesses grew just 25% between 2019 and 2020, by comparison.) Now with Industrial Cyber noting in early 2022 how Log4Shell might have affected at least one-tenth of ICS systems globally, it doesn’t appear that ICS threats will be slowing down anytime soon.
These developments emphasize the need for organizations to protect their ICS and other Operational Technology (OT) assets. They can use ISA/IEC 62443 towards that end. Let’s explore how below.
Overview of ISA/IEC 62443
ISA/IEC 62443 is a set of standards that organizations can use to secure their industrial automation and control systems (IACS) throughout their lifecycles. The International Electrochemical Commission (IEC) and the International Society of Automation (ISA) initially developed ISA/IEC 62443 for use in industrial processing sectors only. However, they recognize that IEC 62443 is applicable to power and energy distribution centers, among other entities, as organizations increasingly adopt IACS technologies…and find that traditional IT security best practices can’t protect those systems.
“IT standards are not appropriate for IACS and other OT (operational technology) environments,” IEC explained in a blog post. “For example, they have different performance and availability requirements, and equipment lifetime. Moreover, cyber-attacks on IT systems have are essentially economic consequences, while cyber-attacks on critical infrastructure can also be heavily environmental or even threaten public-health and lives.”
Acknowledging this reality, IEC and ISA designed the standards to help organizations take a risk-based approach to secure their IACS. As such, ISA/IEC 62443 doesn’t just apply to the IACS technology itself. It also pertains to countermeasures and employee awareness. If properly addressed, these supporting elements can help to prevent a security incident from occurring in the first place, minimize the effects of an incident when it does occur, and augment security throughout the entire lifecycle.
ISA/IEC 62443 consists of four parts:
- A General section that includes terminology and topics that are relevant to the standards.
- A portion dedicated to Policies and Procedures that organizations can use to bolster their IACS security. These practices include establishing a formal security program for their IACS assets and delineating security requirements for IACS service providers.
- An overview of IACS security technologies and other System-level requirements.
- A compendium of Components and Requirements that help to ensure a secure product development lifecycle for IACS systems.
Some of ISA/IEC 62443 has been around since the early 2000s. But that doesn’t mean the series is outdated. On the contrary, the ISA99 committee of the International Society of Automation (ISA) and IEC Technical Committee 65 Working Group 10 develop the standards on an ongoing basis. Such refinement ultimately motivated IEC to designate the series as “horizontal” in December 2021, which means that the standards are now applicable to a variety of industries. This enables stakeholders who are operating in multiple sectors to use ISA/IEC 62443 as “the one single source for the fundamental principles and requirements of automation cybersecurity.” Similarly, automation system suppliers can now use the standards to certify their products for applications in a broader range of industries, all while the ISA Global Cybersecurity Alliance works with asset owners to help them to adopt the series in their organizations.
Overcoming the Challenges with Implementing ISA/IEC 62443
Notwithstanding the benefits of the “horizontal” designation discussed above, many organizations struggle to implement ISA/IEC 62443. That’s especially the case when they’re grappling with challenges involving their OT security efforts in general. In the 2021 survey, for instance, two-thirds of OT and Information Technology (IT) security practitioners said that sophisticated attacks on par with the Colonial Pipeline incident were making it more difficult for them to manage their organization’s OT security. Slightly fewer (55%) said that the growing complexity of their organization’s OT environments was hindering their ability to achieve comprehensive visibility into assets and potential threats. Others went on to indicate that the defensive capabilities deployed in those environments weren’t fulfilling their organization’s OT security requirements.
Fortunately, the challenges aren’t insurmountable. Teams can overcome them by ensuring that they have the necessary budget to meet their organization’s security requirements. IT and OT decision-makers might consider specifically gaining buy-in from stakeholders, as they can use that support to develop business use cases that explain the need for the proposed cybersecurity enhancements. The operative word there is “business”; decision-makers need to frame whatever security challenges and proposed solutions they wish to discuss in terms of the business.
Once they have the necessary budget, decision-makers can maximize their resources by directing them to managed security services. Working with a managed security services provider (MSSP like ITEGRITI can help to provide organizations with continuous cybersecurity and compliance services like vCISO and Workforce Support. They can use those offerings to implement the ISA/IEC 62443 and to keep up with new versions of the series as they emerge.
Learn how ITEGRITI can manage your implementation of ISA/IEC 62443.