ISA99 committee updates community on activities and plans for ISA/IEC-62443 standards

The chairs of the ISA99 committee on IACS cybersecurity reached out over the New Year weekend to its members and stakeholders to provide an update on activities and plans for the ISA/IEC-62443 series of standards. 

“Our purpose with this letter is to summarize the current situation and expected direction with respect to several important topics, address any possible misconceptions or misunderstandings that you – our stakeholders – may have, and provide a means for raising any future questions or concerns’” Eric C. Cosman and Jim Gilsinn, ISA99 Committee co-chairs, and Joe Weiss, managing director at ISA99, wrote in an open letter to the community.

The IEC 62443 standards are industrial cybersecurity standards available to the industrial and manufacturing sector, which address the cybersecurity challenges of industrial automation and control systems (IACS) and OT (operational technology) environments. 

As the documents in the ISA/IEC 62443 series have been developed by different groups over more than a decade, resulting in certain gaps and inconsistencies, the ISA99 committee formed the consistency task group, called the ‘WG5TG3,’ which has been chartered to review the series for consistency and completeness. The WG5TG3 group has since proposed several improvements, including better definitions of key concepts using detailed ontologies and a proposed new structure for the series. These changes are beginning to appear in revised documents in the series, and the work continues and further improvements are expected, according to the letter. 

The chairs of the ISA99 committee informed stakeholders of the development of new and improved standards and technical reports, while several documents in the ISA/IEC 62443 series are currently being revised. 

In the case of the 62443-1-1 (Terminology, concepts, and models) standard, the initial edition of the document was published by ISA in 2007 and later distributed as a technical specification by IEC. 

“Since then, our understanding of the subject has evolved considerably, as reflected in the more detailed standards in the series. These changes have been incorporated into the second edition of 62443- 1-1 that is currently circulating for review and comment in both ISA99 and IEC TC 65 WG 10. We expect to receive many comments on this first draft and will use them to shape the content as we complete this new edition, hopefully in 2022,” according to the letter.  

For the 62443-1-3 (Performance metrics for IACS security) standard, the technical report (TR) defines a methodology for the development of quantitative metrics derived from process and technical requirements defined in the ISA/IEC 62443 series. It has been circulated for review and comment and further revisions are underway. 

Likewise, for the 62443-1-5 (Scheme for cybersecurity profiles) standard, developed by IEC TC65/WG10, the document describes how to draft cybersecurity profiles for the ISA/IEC 62443 series. ISA99 members have submitted comments on the initial draft.  

The technical report of the 62443-1-6 (Application of the ISA/IEC 62443 standards to the Industrial Internet of Things (IIoT) that describes considerations for asset owners when they are deciding on the implementation of IIoT within their assets and provides guidance on the requirements of the ISA/IEC 62443 series to elucidate and mitigate any cybersecurity concerns. It will be circulated for review and comment early this year.  

For the 62443-2-1 (Security program requirements for IACS asset owners) standard, the initial edition of the document was published by ISA in 2009 and later adopted by IEC. “Our understanding of what constitutes an effective cybersecurity program has evolved considerably since then, and the second edition of this document will reflect this understanding while clarifying the relationship to other standards such as the ISO/IEC 2700x series,” according to the letter. 

The technical report of the 62443-2-3 (Security update (patch) management) was published by ISA in 2015 to address the requirements for an effective automation system patch management program. A second edition has been completed and will soon be circulated for a second round of review and comment.  

The 62443-2-2 (IACS security protection) prescribes the requirements to perform a rating of the expected level of protection provided by technical and process security measures during the operation of an automation system. It was recently circulated for review and comment.  

The 62443-3-3 (System security requirements and security levels) first published in 2013, prescribes the security requirements for control systems related to the seven foundational requirements and assigns system security levels (SLs) to the system under consideration (SuC). The committee is currently preparing a second edition. 

With the use of the ISA/IEC 62443 series across a broad range of sectors, the International Society of Automation (ISA) and the ISA Global Cybersecurity Alliance (ISAGCA) announced last November that the International Electrotechnical Commission (IEC) recognized the industrial cybersecurity standards series as having ‘horizontal’ capability. 

“This is entirely consistent with our direction for the series, going back to when the ISA99 committee was chartered by the ISA Standards and Practices Department in 2002,” the chairs wrote in the letter. 

At that time, two alternative approaches were considered, including instructing all ISA committees to incorporate cybersecurity into their respective existing and planned standards or creating a new standard dedicated to automation cybersecurity to define requirements to be applied and referenced by existing and planned standards.

“Those forming the committee chose the second option and described the scope of the standards in terms of potential consequences, with the understanding that any application or sector that anticipated such consequences could apply the standards. This has not changed. All future development by the ISA99 committee will proceed based on this understanding,” the letter explained.

The leaders of the ISA99 committee are also committed to supporting any sectors or industries wishing to apply or adopt ISA/IEC 62443. “The use of profiles was recently approved within the IEC to assist users in the interpretation and application of the referenced standard(s),” according to the letter. 

“The committee also recognizes that such applications may well require the creation of application guides or profiles to facilitate this adoption. The structure of the ISA/IEC 62443 series will be extended to provide for the inclusion of approved profiles and any associated compliance with those profiles. The process for obtaining such approvals will be the same as for other documents in the ISA/IEC 62443 series, involving the review, commenting, and voting procedures of both ISA and IEC,” it added.

Another topic that the chairs of the ISA99 committee addressed was automation cybersecurity which has implications in many other areas. “Our committee has formed liaison relationships with many other groups (i.e., committees, consortia, etc.) that improve understanding, acceptance, and adoption of proven and effective practices,” according to the letter. “Perhaps the most important of these is our liaison with IEC TC 65 WG 10, which allows our standards to be reviewed and eventually approved by a larger international audience, leading to their publication as IEC standards,”  

The ISA99 committee also maintains active liaisons with the Industrial Internet Consortium (IIC), the ISA Global Cybersecurity Alliance, and others. “We keep records of each such liaison that define the proposed joint activities and expected benefits for each party. We expect that additional liaisons may result as the ISA/IEC 62443 series of standards are applied in other industry sectors,” it added.

The ISA99 committee is “still expecting to have a series of virtual plenary committee meetings in 2022 to allow everyone to learn more about current and planned activities, ask questions, and express any concerns. You should expect to receive more details in the coming weeks,” the letter said.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.