ISA/IEC 62443 Series of Cybersecurity Standards

This blog is the first in a series of blogs published by Dragos covering the requirements, documents, and key concepts of the ISA/IEC 62443 series of cybersecurity standards. In our second blog, we give a detailed overview of the documents within the series of standards, followed by a third blog that covers the key concepts and approaches of ISA/IEC 62443.

You’ve probably heard of the ISA/IEC 62443 series of standards, but you might be wondering what the standards include and how they can help your company. As a founding member of the ISA Global Cybersecurity Alliance, Dragos is committed to supporting and expanding the adoption of ISA/IEC 62443, because we believe it includes valuable, actionable guidance for increasing security and resiliency.

The series of standards and technical reports specify requirements for the security of industrial automation and control systems (IACS). These standards set best practices for security and provide a way to assess the level of security performance. The approach is holistic, bridging the gap between operations and information technology and between process safety and cybersecurity. The International Society of Automation’s ISA99 Committee and the International Electrotechnical Commission (IEC) Technical Committee 65/Working Group 10 are the developers and publishers of the standards and technical reports. The documents codify hundreds of years of operational technology and IoT cybersecurity subject matter expertise, including the expertise of several Dragos leaders who have been active in their development.

The standards are well-known in North America because they are referenced dozens of times in the NIST Cybersecurity Framework, but they are also gaining significant attention in other world regions. The series has been endorsed by the United Nations and integrated into the draft of the UN’s Economic and Social Council’s proposal for a common regulatory framework on cyber security in Europe. The IEC also officially designated the IEC/ISA 62443 series of standards as “horizontal,” meaning that they are proven to be applicable to a wide range of different industries. The designation recognizes that the benchmarks set within the standards apply to all sectors that leverage IACS, including building automation, electric power generation and distribution, medical devices, transportation, discrete manufacturing, and process industries such as chemicals and oil and gas.

Using the ISA/IEC 62443 series of standards as a foundation, Dragos can help companies adopt security as part of the operations lifecycle, enable compliance with various aspects of the standards across supply chains, and include cybersecurity in operational risk-management profiles. We leverage the standards to help customers:

Define common terms, concepts, and models that can be used by all stakeholders responsible for control systems cybersecurity
Determine the level of security required to meet their unique business and risk needs
Perform risk assessments that are critical to protecting control systems
Isolate, segment, and secure network zones and conduits
Frame requirements for products and solutions from vendors and supply chain partners
Create appropriate roles and responsibilities for users or resources
Recommend security risk mitigation strategies

The standards are regularly updated, modified, and expanded – and all are welcome to join the community or serve on its various subcommittees. We’ve developed a solution brief to help you understand how Dragos can help you align with ISA/IEC 62443. Stay tuned to learn more on the ISA/IEC 62443 series of cybersecurity standards in our follow-on series of blogs covering this topic.