[fusion_builder_container hundred_percent=”no” hundred_percent_height=”no” hundred_percent_height_scroll=”no” hundred_percent_height_center_content=”yes” equal_height_columns=”no” hide_on_mobile=”small-visibility,medium-visibility,large-visibility” status=”published” background_position=”center center” background_repeat=”no-repeat” fade=”no” background_parallax=”none” enable_mobile=”no” parallax_speed=”0.3″ video_aspect_ratio=”16:9″ video_loop=”yes” video_mute=”yes” border_style=”solid” type=”legacy” admin_toggled=”no”][fusion_builder_row][fusion_builder_column type=”1_1″ layout=”1_1″ spacing=”” center_content=”no” link=”” target=”_self” min_height=”” hide_on_mobile=”small-visibility,medium-visibility,large-visibility” class=”” id=”” background_color=”” background_image=”” background_image_id=”” background_position=”left top” background_repeat=”no-repeat” hover_type=”none” border_color=”” border_style=”solid” border_position=”all” border_radius=”” box_shadow=”no” dimension_box_shadow=”” box_shadow_blur=”0″ box_shadow_spread=”0″ box_shadow_color=”” box_shadow_style=”” padding_top=”” padding_right=”” padding_bottom=”” padding_left=”” margin_top=”” margin_bottom=”” animation_type=”” animation_direction=”left” animation_speed=”0.3″ animation_offset=”” last=”true” border_sizes_top=”0″ border_sizes_bottom=”0″ border_sizes_left=”0″ border_sizes_right=”0″ first=”true”][fusion_text columns=”” column_min_width=”” column_spacing=”” rule_style=”default” rule_size=”” rule_color=”” content_alignment_medium=”” content_alignment_small=”” content_alignment=”” hide_on_mobile=”small-visibility,medium-visibility,large-visibility” sticky_display=”normal,sticky” class=”” id=”” margin_top=”” margin_right=”” margin_bottom=”” margin_left=”” font_size=”” fusion_font_family_text_font=”” fusion_font_variant_text_font=”” line_height=”” letter_spacing=”” text_color=”” animation_type=”” animation_direction=”left” animation_speed=”0.3″ animation_offset=””]<\/p>\n
Attacks and vulnerabilities involving industrial control systems (ICS) have been on the rise in recent years. For instance, Kaspersky<\/a> revealed that attacks targeting ICS systems had increased 62% over the second half of 2020. It was a similar story in H1 2021 when BetaNews<\/a> reported a 41% increase in the volume of ICS vulnerabilities. (ICS weaknesses grew just 25% between 2019 and 2020, by comparison.) Now with Industrial Cyber<\/a> noting in early 2022 how Log4Shell might have affected at least one-tenth of ICS systems globally, it doesn\u2019t appear that ICS threats will be slowing down anytime soon.<\/p>\n These developments emphasize the need for organizations to protect their ICS and other Operational Technology (OT) assets. They can use ISA\/IEC 62443 towards that end. Let\u2019s explore how below.<\/p>\n ISA\/IEC 62443 is a set of standards that organizations can use to secure their industrial automation and control systems (IACS) throughout their lifecycles. The International Electrochemical Commission (IEC) and the International Society of Automation (ISA) initially developed ISA\/IEC 62443 for use in industrial processing sectors only. However, they recognize that IEC 62443 is applicable to power and energy distribution centers, among other entities, as organizations increasingly adopt IACS technologies\u2026and find that traditional IT security best practices can\u2019t protect those systems.<\/p>\n \u201cIT standards are not appropriate for IACS and other OT (operational technology) environments,\u201d IEC explained in a blog post<\/a>. \u201cFor example, they have different performance and availability requirements, and equipment lifetime. Moreover, cyber-attacks on IT systems have are essentially economic consequences, while cyber-attacks on critical infrastructure can also be heavily environmental or even threaten public-health and lives.\u201d<\/p>\n Acknowledging this reality, IEC and ISA designed the standards to help organizations take a risk-based approach to secure their IACS. As such, ISA\/IEC 62443 doesn\u2019t just apply to the IACS technology itself. It also pertains to countermeasures and employee awareness. If properly addressed, these supporting elements can help to prevent a security incident from occurring in the first place, minimize the effects of an incident when it does occur, and augment security throughout the entire lifecycle.<\/p>\n ISA\/IEC 62443 consists of four parts:<\/p>\n Some of ISA\/IEC 62443 has been around since the early 2000s. But that doesn\u2019t mean the series is outdated. On the contrary, the ISA99 committee of the International Society of Automation (ISA) and IEC Technical Committee 65 Working Group 10 develop the standards on an ongoing basis. Such refinement ultimately motivated IEC to designate the series as \u201chorizontal\u201d in December 2021<\/a>, which means that the standards are now applicable to a variety of industries. This enables stakeholders who are operating in multiple sectors to use ISA\/IEC 62443 as \u201cthe one single source for the fundamental principles and requirements of automation cybersecurity.\u201d Similarly, automation system suppliers can now use the standards to certify their products for applications in a broader range of industries, all while the ISA Global Cybersecurity Alliance works with asset owners to help them to adopt the series in their organizations.<\/p>\n Notwithstanding the benefits of the \u201chorizontal\u201d designation discussed above, many organizations struggle to implement ISA\/IEC 62443. That\u2019s especially the case when they\u2019re grappling with challenges involving their OT security efforts in general. In the 2021 survey<\/a>, for instance, two-thirds of OT and Information Technology (IT) security practitioners said that sophisticated attacks on par with the Colonial Pipeline incident<\/a> were making it more difficult for them to manage their organization\u2019s OT security. Slightly fewer (55%) said that the growing complexity of their organization\u2019s OT environments was hindering their ability to achieve comprehensive visibility into assets and potential threats. Others went on to indicate that the defensive capabilities deployed in those environments weren\u2019t fulfilling their organization\u2019s OT security requirements.<\/p>\n Fortunately, the challenges aren\u2019t insurmountable. Teams can overcome them by ensuring that they have the necessary budget to meet their organization\u2019s security requirements. IT and OT decision-makers might consider specifically gaining buy-in from stakeholders<\/a>, as they can use that support to develop business use cases that explain the need for the proposed cybersecurity enhancements. The operative word there is \u201cbusiness\u201d; decision-makers need to frame whatever security challenges and proposed solutions they wish to discuss in terms of the business.<\/p>\n Once they have the necessary budget, decision-makers can maximize their resources by directing them to managed security services. Working with a managed security services provider (MSSP like ITEGRITI can help to provide organizations with continuous cybersecurity and compliance services like vCISO and Workforce Support. They can use those offerings to implement the ISA\/IEC 62443 and to keep up with new versions of the series as they emerge.<\/p>\nOverview of ISA\/IEC 62443<\/h2>\n
\n
Overcoming the Challenges with Implementing ISA\/IEC 62443<\/h2>\n