IEC 62443 (also known as ISA/IEC 62443) are a set of standards for the security of industrial automation and control systems. These consensus-based standards were originally developed with the goal of securing U.S. critical infrastructure against cyber attacks, and have been proven to apply to a broad range of industries, making them relevant for any industry that makes use of industrial automation and control systems.
The ISA/IEC 62443 standards are a joint project of the International Society of Automation (ISA) and the International Electrotechnical Commission (IEC). They have been endorsed by the United Nations and integrated into the draft of the UN’s Economic and Social Council’s proposal for a common regulatory framework on cyber security in Europe. While the complete ISA/IEC 62443 Standards documentation is a paid product of the ISA/IEC, they offer a quick start guide for free.
Who should use the IEC 62443 standard (ISA 62443 Standard)?
The IEC 62443 standards are intended for IACS asset owners, automation product suppliers, system integrators, and maintenance providers. The standards take into account the multiple roles involved in the design and operation of industrial automation and control systems. While the asset owners have overall responsibility for the security of their OT, they need the cooperation of their product suppliers, their system integrators and their maintenance providers, and the different parts of the IEC cyber security standards are relevant to those different roles.
The core ISA/IEC 62443 Standard is Part 2-1, which sets the requirements for the
security program of an asset owner. The other standards derive their definitions and directions from Part 2-1, and they include:
● Part 3-2: how to divide an IACS into zones and conduits (to reduce the impact one part can have on another), how to assess the risk of each division and how to define a target security level. It also discusses how to create a cyber security requirements specification for the automation solution. The results of the work done in this part informs the application of:
- Part 3-3: automation system security requirements. This is most relevant to automation system integrators.
- Part 4-1: product development and life-cycle security requirements. This is most relevant to product suppliers.
- Part 2-4: security requirements for service providers that support the IACS through integration or maintenance services
● Part 2-3: requirements for the patch management process. There will inevitably need to be fixes to security issues discovered in the products or systems that make up your IACS, and you need to establish in advance how you are going to deal with those fixes without unacceptable system disruption.
What are IEC 62443 security levels?
The IEC 62443 includes a way to classify the technical requirements for the security needs of different industrial control systems. These IEC 62443 security levels provide an easily understandable way to communicate about what level of protection a system needs, as well as what its current level of protection is as regards any individual technical requirement.
The IEC 62443 security levels all start with SL (for “security level”) and they are as follows:
- SL0 – No special protection required
- SL1 – Protection against accidental misuse
- SL2 – Protection against intentional misuse by simple means involving few resources, general (non IACS-specific) knowledge and low motivation
- SL3 – Protection against intentional misuse by sophisticated means involving moderate resources, IACS-specific knowledge and moderate motivation
- SL4 – Protection against intentional misuse by sophisticated means involving extensive resources, IACS-specific knowledge and high motivation
Benefits of IEC 62443 certification for Industrial Control Systems Cybersecurity
There are two different types of IEC 62443 certification: one for an individual professional wishing to demonstrate mastery of the IEC 62443 standards and their application, and another for suppliers that want to show that their systems or products are certified for IEC 62443 compliance.
Professional IEC 62443 certification can be obtained from the ISA through their Cybersecurity Certificate Training Program. Certificates are attained by completing training courses on different aspects of the ISA/IEC 62443 standards and passing a corresponding exam.
The benefits of this certification are both the knowledge gained, which enhances the ability of an IT and control system professional to do their job well, as well as the ability to demonstrate proficiencies to current or potential employers.
Industrial automation and control system manufacturers and suppliers who wish to have proof of their products’ conformance with the ISA/IEC 62443 standards can be evaluated and certified by the ISA Security Compliance Institute or their partnering organizations. Certification is available both for systems (e.g. SCADA or other ICS core system) and for components, such as controllers (e.g. PLC, DCS, Fieldbus, Unit Operations), safety devices (e.g. control systems, managers, related programmable electronic systems), remote terminal units and wireless device managers.
With this certification, suppliers can demonstrate to industrial control system consumers and end users that their systems and products have been independently evaluated and found to conform to IEC security standards. The benefits of IEC 62443 certification for end users include assurance that their industrial control systems are designed to meet the highest levels of network and cyber security. They are free of known vulnerabilities and protected against known cyber threats. Additionally, certified systems and devices can often be more efficiently deployed, because less time is needed for security verification during deployment.