Making control system standards work

Understanding a company’s operational technology (OT) security posture and the developments from IEC 62443-2-4 have added security program requirements and benefits for industrial automation and control systems (IACS) security and are key in protecting a company’s infrastructure.


Changes to international standards in the industrial security arena are helping operators consistently procure and manage control systems security expertise. Understanding these changes and how they can apply to your situation is useful in evolving a company's operational technology (OT) security posture.

The need to protect your infrastructure and services from disruption is a critical priority, especially considering increasing connectivity prevalent in industrial environments. To build OT resilience, asset owners oftentimes engage with specialized consultants. These OT security researchers, testers, certification groups, and consultants can work together to fulfill a holistic risk mitigation strategy.

Nearly a year ago, with the ratification of IEC 62443, industrial operators and suppliers had better methods to more efficiently invest in such security expertise. Since then, updates to this international industrial controls standard were published to move systems integration work forward.

Here are some common questions about IEC 62443-2-4 along with a perspective based on experience in working with standards bodies and operators who want to improve operational security: 

What critical infrastructure has changed and how might I benefit?

The existing standard, IEC 62443, focuses on industrial automation and control systems security (IACS). The new section, part 2-4 (IEC 62443-2-4) added security program requirements for IACS service providers. By working from specifications identified in this standard, operators can better clarify what work areas they need to scope for industrial automation and control systems security improvements. With these standards to draw from, organizations can potentially avoid "one-off" costs or variations in bids as they pursue critical infrastructure security expertise.

Specifically, IEC 62443-2-4 defines a standard set of security services (capabilities) for integration and maintenance activities, thus allowing asset owners to select those most appropriate for their sites. As a result, they can ask their integrators and maintenance contractors for standard requirements. Vendors can tailor their service offerings around these standard activities, rather than customizing their offerings specifically for each customer. 

Is IEC 62443 a cyber security standard?

IEC 62443 standards are specific to industrial automation control systems, which are OT systems as opposed to IT systems. By hardening OT environments, risks such as unauthorized access to control systems, false commands to operating equipment, and read/write of proprietary device data can be minimized. 

What kind of systems or equipment does IEC 62443-2-4 address?

IEC 62443-2-4 addresses the processes and activities used to install (integrate) and maintain industrial control systems and their components. These components can include workstations, controllers, and network devices. 

Is this applicable to my organization? Who does this standard affect?

Anyone running critical services is likely to need hardened security to prevent disruption from attacks, accidents, and nation-state incidents. IEC 62443 provides standardization to help with critical infrastructure security, and IEC 62443-2-4 offers specific guidance to integrators and maintenance contractors. Specifically, IEC 62443-2-4 is written for integrators and maintenance contractors performing industrial automation control systems security work. It also applies to those asset owners who choose to do their own integration and maintenance. 

What should operators do with this standard?

Operators should first review this standard—either on their own or preferably with knowledgeable sources—and use it to select requirements for their own critical infrastructure security programs. Subsequently, they should implement security-hardening work, across the categories defined, to enforce their new policies. 

What is the next step for adhering to this standard?

While IEC 62443-2-4 provides the "what" for addressing critical infrastructure security, by defining and standardizing integration and maintenance capabilities, your organization still needs to determine the "how and why" to define your own security program. This includes the subset of these capabilities applicable to your specific needs.

For example, IEC 62443-2-4 defines critical infrastructure security categories including architecture and staffing and provides detailed requirements for each, such as administration of network devices and data protection. It does not, however, define how the network devices will be set or who will be allowed access. It doesn't define the type and strength of passwords chosen to use for data protection either.

Nate Kube founded Wurldtech Security Technologies in 2006 and, as the company's chief technology officer, is responsible for strategic alliances, technology, and thought leadership. Courtesy: ISSSource, Wurldtech Security TechnologiesInitial standards work can begin quickly. Yet implementations of the appropriate parts of the standard to meet the customer's requirement span long-term time horizons. Specialized expertise can bring deep knowledge, discipline, and best practices for a more robust security posture. IEC 62443-2-4 is designed to bring clarity to the integrator and maintenance areas.

Protecting a company's infrastructure and services from disruption is an important priority with the increasing connectivity prevalent in operational environments. Standards can help distinguish what work types and expertise areas can be engaged to improve the company's operations security posture.

Nate Kube founded Wurldtech Security Technologies in 2006 and, as the company's chief technology officer, is responsible for strategic alliances, technology, and thought leadership. This content originally appeared on ISSSource. Edited by Chris Vavra, production editor, CFE Media,

ONLINE extra

- See additional stories from Kube and from ISSSource linked below.

No comments
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by...
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
Additive manufacturing benefits; HMI and sensor tips; System integrator advice; Innovations from the industry
Robotic safety, collaboration, standards; DCS migration tips; IT/OT convergence; 2017 Control Engineering Salary and Career Survey
Integrated mobility; Artificial intelligence; Predictive motion control; Sensors and control system inputs; Asset Management; Cybersecurity
Featured articles highlight technologies that enable the Industrial Internet of Things, IIoT-related products and strategies to get data more easily to the user.
This article collection contains several articles on how automation and controls are helping human-machine interface (HMI) hardware and software advance.
This digital report will explore several aspects of how IIoT will transform manufacturing in the coming years.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

Infrastructure for natural gas expansion; Artificial lift methods; Disruptive technology and fugitive gas emissions
Mobility as the means to offshore innovation; Preventing another Deepwater Horizon; ROVs as subsea robots; SCADA and the radio spectrum
Future of oil and gas projects; Reservoir models; The importance of SCADA to oil and gas
Automation Engineer; Wood Group
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
click me