ISA99 Committee updates community on adoption of ISA/IEC 62443 series across sectors, working groups, liaisons

The ISA99 Committee on IACS cybersecurity wrote an open letter to committee members and stakeholders, summarizing the current situation and expected direction. The letter provides an overview of committee meetings and operations, updates on recent liaisons, and seven working groups’ activities while deep diving into the broader application of the ISA/IEC 62443 series across sectors. It also addresses several important topics, covers any possible misconceptions or misunderstandings that stakeholders may have, and provides a means for raising future questions or concerns.

Raising the application across sectors, Eric C. Cosman and Jim Gilsinn, ISA99 Committee co-chairs, and Joe Weiss, managing director at ISA99 Committee, wrote in an open letter to the community that “you may have heard of proposals and some concerns about the use of the ISA/IEC 62443 series across a broad range of sectors. This has led to the designation of ISA/IEC 62443 as ‘horizontal standards’ by IEC.” 

The chairs of the ISA99 committee had earlier this year over the New Year’s weekend reached out to its members and stakeholders to provide an update on activities and plans for the ISA/IEC-62443 series of standards.

Pointing out that ‘this is entirely consistent with our direction for the series,’ going back to when the ISA99 committee was chartered by the ISA Standards and Practices Department in 2002, the August open letter said that the question of how to position the standards within IEC has been posed much more recently, and will ultimately be determined by IEC, using their processes. The leaders of the ISA99 committee support the horizontal designation and are committed to supporting any sectors or industries wishing to apply or adopt ISA/IEC 62443, it added. 

The open letter also analyzed the use of recently approved profiles within the IEC to assist users in interpreting and applying the referenced standard(s).  The committee also recognizes that such applications may well require the creation of application guides or profiles to facilitate this adoption. 

The structure of the ISA/IEC 62443 series will be extended to provide for the inclusion of approved profiles and any associated compliance with those profiles. The process for obtaining such approvals will be the same as for other documents in the ISA/IEC 62443 series, involving the review, commenting, and voting procedures of both ISA and IEC, with more details available as soon as it becomes on tap.

The ISA99 committee has been very active this year. “In addition to developing specific parts of the ISA/IEC 62443 series, we have also been working on several initiatives aimed at facilitating committee operation and improving the quality of the ISA/IEC 62443 standards,” the chairs wrote in the letter. 

With over a thousand members, the ISA99 committee said that only a relatively small number of members are actively involved in the development of the standards, according to the open letter. Instead, many members join simply to learn and be informed of new and trending developments. “Earlier this year, we conducted a series of virtual plenary meetings to help address this need. Topics addressed include an overview of the ISA/IEC 62443 standards, committee organization and operation, collaboration with IEC TC65 WG10, and new tools used for standards development,” the letter adds.

The day-to-day operation of the committee is directed by work group 5, consisting of chairs or the other, more focused work groups, the open letter said. This group focuses on several specific areas, including series consistency and work product editing.

Addressing the series consistency issue, the open letter said that the documents in the ISA/IEC 62443 series had been developed by different groups over more than a decade, resulting in certain gaps and inconsistencies. “The consistency group (WG5TG3) has proposed several improvements, including better definitions of key concepts using detailed ontologies and a proposed new structure for the series. These changes are beginning to appear in revised documents in the series. This work continues, and further improvements are expected.” 

For the work product editing, the ISA99 has an editors task group (WG5TG1) responsible for the final review and editing of all documents before they are circulated for review and comment. 

The open letter said that Work Group 2 – 62443-2-1 covers security program requirements for industrial automation and control systems (IACS) asset owners, with the first edition of the standard published by ISA in 2009 and later adopted by IEC. “Our understanding of what constitutes an effective cybersecurity program has evolved considerably since then, and the second edition of this document will reflect this understanding while clarifying the relationship to other standards such as the ISO/IEC 2700x series. A final draft of this standard should be submitted for committee vote later this year,” it adds. 

For Work Group 3 – 62443-1-1, which includes terminology, concepts, and models, the open letter said that the first edition of the document was published by ISA in 2007 and later distributed as a technical specification by IEC. “Since then, our understanding of the subject has evolved considerably, as reflected in the more detailed standards in the series. These changes have been incorporated into the second edition of 62443-1-1 which was circulated for review late last year. We received over 2000 comments on this draft and the workgroup hopes to have a second draft for comment by the end of 2022,” it adds. 

Moving over to Work Group 6 – 62443-2-3, which describes security update patch management, the open letter said that ISA published the technical report in 2015 to address the requirements for an effective automation system patch management program. A second edition is currently being prepared. 

In the case of the Work Group 9 – 62443-1-6 which covers application to the industrial Internet of Things (IIoT), the open letter said that the document describes considerations for asset owners when they are deciding on the implementation of IIoT within their assets and provides guidance on the requirements of the ISA/IEC 62443 series to elucidate and mitigate any cybersecurity concerns. It will be circulated for review and comment later this year. 

For Work Group 12 – 62443-1-3, which describes performance metrics for IACS security, the technical report (TR) defines a methodology for developing quantitative metrics derived from process and technical requirements defined in the ISA/IEC 62443 series. It has been circulated for review and comment, and further revisions are underway.

The Work Group 13 – 62443-1-3 covering awareness and training has been very active in developing and delivering a large set of awareness and training materials related to the 62443 series in the form of micro-learning modules (MLMs) and learning maps, the open letter said. The effort is conducted in partnership with the ISA training department. To date, the group has created and issued six published MLMs on the ISA YouTube channel, focusing on improving IT-oriented people’s understanding about industrial-engineering operations. 

For Work Group 14, which covers 62443 security profiles for electric energy OT (operational technology) control systems, the open letter said that the group was recently created to prioritize the development of multiple ISA/IEC 62443 Security profiles for electric transmission and distribution applications. It includes members who have expertise in substation operation, communication exchange, and/or OT cyber security. The U.S. Department of Energy (DOE), global equipment suppliers, and other stakeholders announced the Electric Energy OT Security Profile working group in May. 

The chairs wrote in the open letter that the committee had formed liaison relationships with many other groups to improve understanding, acceptance, and adoption of proven and effective practices. “We keep records of each such liaison that define the proposed joint activities and expected benefits for each party. We expect that additional liaisons may result as the ISA/IEC 62443 series of standards are applied in other industry sectors,” they added.

Earlier this month, the Industry IoT Consortium (IIC) and the International Society of Automation announced an active liaison that includes projects of mutual interest. The first of these was creating a paper describing a set of mappings for asset owners, product suppliers, and service providers. Specifically, it provides a way to relate the detailed guidance in 62443-2-1, 62443-3-3, and 62443-4-2 with practices and comprehensiveness levels described in the IIC Security Maturity Model (SMM). 

The ISA99 Committee also liaises with the ISA Global Cybersecurity Alliance (ISA GCA). In this case, the principal goal is to coordinate the promotion and advocacy-related activities of the ISA GCA with current work in the committee. 

The co-chairs said in their open that “perhaps the most important of our liaisons is the one with IEC TC 65 WG 10, which allows our standards to be reviewed and eventually approved by a larger international audience, leading to their publication as IEC standards. In the context of this liaison TC, 65 WG 10 is responsible for several parts of the series,” the letter adds.  

The 62443-1-5 covers the scheme for cybersecurity profiles and describes how to draft profiles for ISA/IEC 62443 series. ISA99 members submitted comments on the initial draft. In the case of the 62443-2-4, the open letter said the standard was published by IEC in 2017 and later adopted by ISA. IEC TC 65 WG 10 is preparing a second edition. 

The 62443-6-1 deals with the security evaluation methodology for IEC 62443-2-4 and provides support to service providers and evaluators to do a conformity assessment by evaluating the security program against the requirements of IEC 62443-2-4 Ed. 1.1. The 62443-6-2 covers the security evaluation methodology for IEC 62443-4-2, which specifies the evaluation methodology to support interested parties to achieve repeatable and reproducible evaluation results for IACS components against IEC 62443-4-2 requirements.

The co-chairs concluded their open letter by appreciating committee members’ and stakeholders’ “interest in and support of the committee’s work and look forward to your feedback. It is almost certain that we have forgotten some details here or that we have not answered all the comments, questions, or concerns that you may have.”

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.