The ISA/IEC 62443 Series of Standards - Full Guide

About the International Society of Automation (ISA)

Established 77 years ago, ISA is a globally recognized body focusing on automation adoption. Students, professionals, businesses, engineers, vendors, and anyone else who is interested to study or deal with automation join this society. 

During its early days, it was known as the Instrument Society of America as its penetration was more in the US. As its reach expanded and it gained global attention, it became ISA.

Currently, it’s a world of the most renowned organizations that automation specialists look upon to get familiar with the latest automation trends, practices, and procedures. Even though many more engineering disciplines are included, the key focus remains on automation.

Interested experts can avail the facilities offered by joining the ISA membership, which is of four kinds.

• Honorary - Granted only to those who have made a notable contribution in the field of automation. 
• ‍Professional - Available at an expense of $140 per year, professional membership is for fellows and senior members.
• ‍Student Member - Only for students and can be availed at a minor expense of $15 per annum.
• ‍Life - Granted complimentary when a member continues to be a part of the organization for 25 long years.

The membership comes with ample benefits such as immediate access to 150 standards, discounts on ISA-published books, discounts on training and certifications, and so on.

‍

What Is IEC 62443?

A product of ISA, IEC 62443 is a document featuring a series of consensus-based standards that are concerned with automation, mainly. Besides this, control system applications also fall under its scope.

Before this, the existing cybersecurity practices were concerning the overall IT ecosystem. Hence, automation was covered only at a marginal level. The launch of ISA/IEC 62443 filled this gap by giving an entire focus on automation, operational technology, and industrial 4.0. 

According to ISA, all these resources are holding great significance for the IT defense system of an organization. And, if risks of these resources are identified at an early stage, IT infrastructure and the concerned security ecosystem.

What makes ISA/IEC 62443 stand a step ahead from the rest of frameworks like the NIST Cybersecurity Framework or ISO 2700x is that it’s more extensive. Not one, two, or ten standards are explained. 

In fact, a series of procedures and requirements are crucial for IACS as well as industrial automation. It addresses a wide range of automation digital security challenges, such as:

• Maintaining data confidentiality in relative functions and operations
• Some of the hidden yet damaging aspects of cyberattacks on society, personnel, and the overall IT ecosystem
• Adoption of compensating controls so that outdated OT and IACS systems are protected
• Predicting the financial losses incurred due to the presence of a risk or vulnerability
• Providing a concentrated approach to make sure that the integrity and reliability of the industrial systems

All these extra offerings of these standards made them more reliable and relevant to industrial systems.

The ISA/IEC 62443 series is highly regulated and are based on consensus. At first, these standards were designed by the ISA 99 committee and were later accepted by IEC. The final versions of these standards are always delivered only after close consultation with IACS security professionals.

This is why these standards always provide an in-depth overview of best security practices that can help you construct a reliable cybersecurity management system that is capable of performing a detailed risk assessment.

With diligent adoption, IEC 62443 is useful to decide the IACS security maturity level of a business venture. Also, it can help you decide on selection criteria for service providers, programs, and security products.  

‍

Breakdown Of IEC 62443 Standards

The easiest way to understand what IEC 62443 addresses is to get familiar with its key aspects and offerings. For this, we have broken down these extensive standards. There are four sections in this section.

• General: The first section is General and its focus remains on introducing key terms, concepts, and models.
• ‍Policies and Procedures: The second section talks about key concepts and processes of IACS security. Some of the crucial concepts explained here are how to build a viable IACS security program, Patch Management of IACS, and an Essential Security Program for IASC vendors.
• ‍System: All essentials needed at the system level are well explained in this section. For instance, IACS security technologies, risk audits related to system design, and cybersecurity stages.

• Components and requirements: This last section focuses on IACS products and their security-specific needs such as SDLC necessities and technical benchmarks for IACS.

Let’s discuss some of the noteworthy sections of all these categories.

• IEC/TS 62443-1-1

One of the earliest stands of this series, IEC/TS 62443-1-1 was published in 2009. The technical committee of IEC, 65, formed this section and explains contemporary models, concepts, and terminologies. As it talks about the basic terminologies, it acts as the foundation for further standards.

• IEC/TS 62443-2-1

This standard was released in the fall of 2010 and instructs the industry about the importance of CSMS for control systems’ security and industrial automation. In addition, it surfaces the practices and procedures to develop crucial CMMS elements. It’s often considered an extension of IEC/TS 62443-1-1 as it elaborated what’s discussed there.

• IEC TR 62443-2-3

The focus of this section is on the security practices that IACS product suppliers must adhere to. It eases patch management by talking about standardized practices for information distribution. It’s useful for security-centric system patching in IACS product suppliers and custom-patched installation. Its scope is wider as it is viable for security as well as non-security patches.

• IEC 62443-2-4

This part enlists security program necessities for IACS service providers so that they can do the asset owner integration and maintenance in a better way. The IEC Technical Committee 65 and International Instrumentation User Association joined hands to form this section.

• IEC 62443-3-1

All security technologies that IACS requires are covered in this section. This section helps in finding technologies to do online security tool assessments, countermeasure mitigation, and monitoring of IACS regulations. Step-by-step, this section talks about multiple system-centric technologies that are control systems and the concerning products.

You will be able to learn about the pros and cons of all these tools/technologies so that you can figure out which tool/product is worth trying and the anticipated outcomes. Every minute suggestions and assistance about these tools are explained in this section.

• IEC 62443-3-2

It brings all the key constraints that make a SuC suitable for IACS and other linked networks. Furthermore, it’s easy to categorize the SuCs as distinguishable conduits and zones, figure out the associated risks, and set up technical security level targets or SL-T for every conduit and zone. Once SL-T is designated for zones and conduits, automation security level assessment becomes easy.

It forms the foundation for IACS risk management that begins with setting up a strategy according to the existing methodologies and standards of the concerned organization. It explains the worth of adoptable engineering practices that is useful for figuring out the concerning threats, loopholes, and the viability of mitigation measures.

• ISA 62443-3-2

The foundation of this standard is the fact that IACS depends on the majority of risk management. It makes one thing clear that different risks are involved with different IACS and their severity depends on the kind of threats that meet them. This is why the standard stresses more on adopting a customized IACS risk tolerance.

• IEC 62443-3-3

As one goes through this standard in detail, we’re able to understand the detailed SRS for all the foundational needs, as explained in IEC 62443-1-1.In addition, the standard explained the SL-C requirements, as stated by the IACS community stakeholder, conduits, and zones for SuCs.

• IEC 62443-4-1

This standard talks about the needed requirement to safeguard the development procedure for IACS. It’s important to make sure that SDLC remains risk-free and 100% secure all through the process so that only dependable industrial automation solutions or control systems are designed.

Every element and the essential needs related to it are covered in this standard. Some of the explained concepts here are design security, safe/standardized coding, validation practices, patch management, and so on. The best thing about the explained security requirements is that you can use them for all the existing and new processes, related to development, maintenance, software, and hardware.

• IEC 62443-4-2

This detailed standard is worth your attention as it talks about the most crucial technical control system component requirements linked to 7 FRs, as explained in IEC TS 62443-1-1.

SL-C components and their control system capabilities for every security level are defined here.

‍

The IEC 62443 Checklist

It’s not easy to understand what IEC-62443 is trying to convey as the document is extensive, talks about multiple concepts, and covers various domains. So, it’s better to understand the zest so that you focus on what’s most important and is of fundamental importance. Here is a quick checklist of documents that deserve your attention.

Part 1-1

You must go through this section as it helps you understand what IACS is and some of its closely-related terms. It creates a sound foundation for future understanding.

Part 2-4 

We recommend paying attention to this document as it will help you understand what it takes to be a dependable IACS service provider. It is useful for maintaining digital solutions and performing integrations. If you want to deploy IEC-62443 at a large scale, this document will help in profile sketching so that the right kind of issues are well addressed.

Part 3-2

For every ecosystem, risks are different and this document will help you identify risks related to your domain or ecosystem. This document is of great help to develop a 100% customized security approach for industrial automation.

Part 3-3

Refer to this document to get familiar with different security levels and achieve great security at each level.

Part 4-1

If you are a vendor indulged in IACS solution development or a professional dealing in the same domain, this document could be of great help here as it will instruct you on how to secure the entire development lifecycle.

Part 4-2

To have a better understanding of the technical essentials for improved security of the components, refer to this document. It talks about the technical prerequisites of software, embedded devices, host components, and network components.

‍

IEC 62443 Security Levels, Zones, and Conduits

The best part about IEC 62443 Standards is that it has defined the technical requirements according to the security levels. At each security level, different actions have to be taken to make sure that those industrial control systems are well protected. Hence, getting familiar with the security level, as defined in IEC-62443 is crucial.

For easy identification, security levels in the extensive documents are referred to as SL. Five security levels are explained next.

• SL0 is often considered a beginner security level and not many specified security measures are needed at this level.
• SL1 is the primary level and demands adequate protection to avoid accidental misuse of tools and data 
• SL2 is mid-level security stature and asks for protection against planned and intentional misuse of data, systems, and resources
• SL3 is a higher security level and calls out sound protection measures to avoid intentional misuse. Generally, it concerns IACS-specific knowledge and moderate resources
• SL4 is the last security level and is advanced out of all. At this level, the standard instructs implementation of the most inventive means to avoid risks, incurred by intentional attacks that are highly motivated

Any vendor or supplier of IACS solutions can categorize the tools in all these security levels. The System Under Consideration or SuC is further categorized into zones and conduits. Now, let’s understand what conduits and zones mean for IEC-62443.

By zones, it meant categorizing physical and logical assets demanding the same sort of security requirements. All the SuC, mentioned under one zone, will have all sorts of risks and will have the same security requirements. Mostly, SuCs are categorized based on factors like consequences and criticalities.

Conduit is also a grouping concept. But, here assets are grouped based on communication exclusivity, unlike zones. With the help of conduits, it’s easy to understand how tunnels are communicating within zones.  

Using IEC 62443 For Product Development Lifecycle Security

Secure product development lifecycle security or SDLC is a key aspect to look after when any organization is involved in software development. The extensive guidance and guidelines of the IEC 62443 are of great help in SDLC implementation in the IACS/ICS/OT ecosystem. Even though they are not as far-reaching as NIST, it does a great job of maintaining a strong digital security posture throughout the application development process.

The IEC 62443-3-3 section is most relevant to explain the basic Foundational Requirements or FRs for SDLC. It explains how using user access, authentication, encryption, audit logs, and roles & responsibility enforcement can maintain a dependable security posture during SDLC. For further assistance, one can refer to IEC 62443-4-2. 

It works like a CSMS and guides the developers about further sub-requirements. All these requirements are categorized into seven FR areas. It explains that to attain SLT in product development adherence to targeted meetings and designing prerequisites are crucial.

As this image explains, secure product development is beyond paying attention to basic requirements. Product vendors must channel a multi-facet development lifecycle to maintain security in product development stages.

IEC-62443 makes viable recommendations to maintain secure processing at key development stages like designing, development, verification, and so on. It extends and covers bug fixing and update stages as well.  

Before IEC-62443 and other security standards, OEM and IASC vendors used to spend a huge deal of money by conducting the development in an insecure development ecosystem. As more attention was given to finding the root cause of the issue, it was figured out that most of the threats and risks to OT/ICT devices are because of substandard engineering, paired with poor testing and poor maintenance.

The launch of the IEC-62443 series of standards gave one clear picture of securing the product development lifecycle. It guides the developers on how to secure the development, design, and delivery. They can be a part of SDLC functions and existing security practices. Hence, their implementation won’t be a challenge.

‍

Guide To Risk Assessment Using IEC 62443

Risk assessment is easy to conduct with effective IEC 62443 implementation. When concerned organizations are done finalizing the SuC, this standard provides a well-constructed process for risk assessment.  

ISA-62443-3-2 is the section that is most relevant to this topic as it provides risk discovery, risk derivation, and risk determination overview when the particular requirements are clearly told. The OT risk assessment, guided by IEC 62433, is so result-driven that it can help organizations to leverage previous assessments like LOPA reviews, gap assessments, and cyber maturity reviews.

‍

IEC 62443 And Other Frameworks And Standards

Even though the IEC 62443 is strong enough to protect control and automation systems/solutions, it’s often paired with other frameworks or standards to bring more powerful results.  

For instance, it pairs well with ISO 27001 to empower the OT/IACS/ICS security programs or simply the CSMS. CSMS is a cybersecurity management system capable of looking after three areas such as risk analysis, CSMS improvement, and risk addressing.

If you prefer an excerpt from IEC 62443-4-2 CSMS requirements, you will be able to understand that there are multiple risk analysis requirement areas.

NIST CSF can align well with IEC 62443 as both have similar security functions as a foundation. The only difference is that the key focus of IEC 62443 remains on the functions related to ICS while NIST CSF talks about improving the overall OT system of an organization.

‍

How To Get IEC 62443 Certification?

ISA provides a certification course to understand ISA/IEC 62443. With this certification, it’s easy to get familiar with its key concepts and ensure their uptight delivery. Offered by ISA, the certification is extensive and entails every minute detail of ICAS assessment, maintenance, designating, and implementation. Now, you need to know that two versions of the IEC 62443 certification exist. The first version is for professionals.

Professionals, closely working with control systems and looking after the cybersecurity health of IT systems, can go for IEC 62443 to gain an edge over others and upgrade their inherited skills. After completing this certification, these professionals will be equipped with key industrial terms related to digital security and understand their key implementation areas.

The certification mainly focuses on learning the standards, related to automation. It discarded the IT focus approach and adopted OT focus methodology so that the aspirants are able to figure out the industrial security risks quickly and provide a specific remedial solution.

Before you plan to be an IEC 64633 certified professional, you need to make sure that you meet all the basic requirements. Even though there are no stringent prerequisites, industry experts affirm that the certification journey is easy for those:

• Having three to five years of experience as an IT cybersecurity expert
• Knowing the basics of ISA/IEC 62443 standards

To successfully get famed as ISA/IEC 64633 certified, one has to come with flying colors in the training program and the multiple choice exam. The exam generally features 75-100 questions.

There are five stages of this certification journey. One can settle with one certification and start working or can pass all four stages. However, you need to understand that you have to complete the prior stages to reach the next position.

ISA/IEC 62443 Cybersecurity Fundamentals Specialist

The very basic certification that you can earn with the help of classroom (in-person or virtual) training, instructor-led training, and self-paced modular.

ISA/IEC 62443 Cybersecurity Risk-Assessment Specialist

Once you successfully earn certificate 1, you can aim at this certification that makes you a specialist. You have to successfully complete any of the below-mentioned prerequisites.

• Classroom (IC33)
• ​Virtual Classroom (IC33V)
• Instructor-Guided Online (IC33E)
• Self-Paced Modular (IC33M)

ISA/IEC 62443 Cybersecurity Design Specialist

The 3rd stage of a certified aspirant’s journey, this credential can only be achieved if you have passed the Fundamental certification. There is no instructor-led online assistance program/training for this certification. You have to choose from virtual or online classes and self-paced modules to get ready for the exam.

ISA/IEC 62443 Cybersecurity Maintenance Specialist

You can aim for this certification after successfully passing the ISA/IEC 62443 Cybersecurity Fundamentals Specialist certificate.

‍

The ISA/IEC 62443 Cybersecurity Expert

If you have earned all the above-mentioned certifications, you will become an ISA/IEC 62443 Cybersecurity Expert. No exam and no further training are required.

You need to know that these certificates expire after 3 years of earning date. Hence, renewal is required if you want to enjoy the certified status.

That was the first certification version. The second certification version is for industrial automation & control system vendors/manufacturers/suppliers. This certification allows them to showcase their dependency and skills related to their tools and services. 

To be IEC-62443 certified, such vendors have to do an extensive evaluation, conducted by ISA Security Compliance Institute. Components like Unite operations, PLC, and DCS, systems like ICS core system and SCADA, and safety devices are often eligible for this evaluation.

Benefits Of IEC 62443 Certification

• Having a great understanding of IT control system (CS) security and the ability to eliminate risks effectively. These professionals will be considered an asset for the businesses embracing the Industry 4.0 trend, as they will help the organization to keep its CS healthy and risk-free. Being a certified IEC 62443 increases the employment prospects for automation and CS professionals. 
• ‍Offered industrial control systems and automation solutions are sound enough to avoid a cyber attack and are meeting the industry’s highest quality standards. Presenting an IEC-62443 certification at the time of the vendor selection process will certainly pay off well for the vendors/supplier as they will have higher chances of being selected.

‍

Conclusion

Wallarm was designed to improve the cybersecurity posture of organizations using automation, APIs, and microservices at any level. With its dedicated and advanced offerings like Cloud WAF, GoTest, API protection, and many more, Wallarm is helping the industrial automation domain to have a highly responsive risk assessment and remedial solution.

Using the tools of Wallarm, industrial automation industry players can foster advanced risk management, detection, protection, and compliance practices that are enough to keep potential threats at bay. With tools that can operate in any ecosystem and handle any kind of API, it is easy to meet IEC-62443 standards.