Making control system standards work

Understanding a company’s operational technology (OT) security posture and the developments from IEC 62443-2-4 have added security program requirements and benefits for industrial automation and control systems (IACS) security and are key in protecting a company’s infrastructure.

By Nate Kube December 22, 2015

Changes to international standards in the industrial security arena are helping operators consistently procure and manage control systems security expertise. Understanding these changes and how they can apply to your situation is useful in evolving a company’s operational technology (OT) security posture.

The need to protect your infrastructure and services from disruption is a critical priority, especially considering increasing connectivity prevalent in industrial environments. To build OT resilience, asset owners oftentimes engage with specialized consultants. These OT security researchers, testers, certification groups, and consultants can work together to fulfill a holistic risk mitigation strategy.

Nearly a year ago, with the ratification of IEC 62443, industrial operators and suppliers had better methods to more efficiently invest in such security expertise. Since then, updates to this international industrial controls standard were published to move systems integration work forward.

Here are some common questions about IEC 62443-2-4 along with a perspective based on experience in working with standards bodies and operators who want to improve operational security: 

What critical infrastructure has changed and how might I benefit?

The existing standard, IEC 62443, focuses on industrial automation and control systems security (IACS). The new section, part 2-4 (IEC 62443-2-4) added security program requirements for IACS service providers. By working from specifications identified in this standard, operators can better clarify what work areas they need to scope for industrial automation and control systems security improvements. With these standards to draw from, organizations can potentially avoid "one-off" costs or variations in bids as they pursue critical infrastructure security expertise.

Specifically, IEC 62443-2-4 defines a standard set of security services (capabilities) for integration and maintenance activities, thus allowing asset owners to select those most appropriate for their sites. As a result, they can ask their integrators and maintenance contractors for standard requirements. Vendors can tailor their service offerings around these standard activities, rather than customizing their offerings specifically for each customer. 

Is IEC 62443 a cyber security standard?

IEC 62443 standards are specific to industrial automation control systems, which are OT systems as opposed to IT systems. By hardening OT environments, risks such as unauthorized access to control systems, false commands to operating equipment, and read/write of proprietary device data can be minimized. 

What kind of systems or equipment does IEC 62443-2-4 address?

IEC 62443-2-4 addresses the processes and activities used to install (integrate) and maintain industrial control systems and their components. These components can include workstations, controllers, and network devices. 

Is this applicable to my organization? Who does this standard affect?

Anyone running critical services is likely to need hardened security to prevent disruption from attacks, accidents, and nation-state incidents. IEC 62443 provides standardization to help with critical infrastructure security, and IEC 62443-2-4 offers specific guidance to integrators and maintenance contractors. Specifically, IEC 62443-2-4 is written for integrators and maintenance contractors performing industrial automation control systems security work. It also applies to those asset owners who choose to do their own integration and maintenance. 

What should operators do with this standard?

Operators should first review this standard—either on their own or preferably with knowledgeable sources—and use it to select requirements for their own critical infrastructure security programs. Subsequently, they should implement security-hardening work, across the categories defined, to enforce their new policies. 

What is the next step for adhering to this standard?

While IEC 62443-2-4 provides the "what" for addressing critical infrastructure security, by defining and standardizing integration and maintenance capabilities, your organization still needs to determine the "how and why" to define your own security program. This includes the subset of these capabilities applicable to your specific needs.

For example, IEC 62443-2-4 defines critical infrastructure security categories including architecture and staffing and provides detailed requirements for each, such as administration of network devices and data protection. It does not, however, define how the network devices will be set or who will be allowed access. It doesn’t define the type and strength of passwords chosen to use for data protection either.

Initial standards work can begin quickly. Yet implementations of the appropriate parts of the standard to meet the customer’s requirement span long-term time horizons. Specialized expertise can bring deep knowledge, discipline, and best practices for a more robust security posture. IEC 62443-2-4 is designed to bring clarity to the integrator and maintenance areas.

Protecting a company’s infrastructure and services from disruption is an important priority with the increasing connectivity prevalent in operational environments. Standards can help distinguish what work types and expertise areas can be engaged to improve the company’s operations security posture.

Nate Kube founded Wurldtech Security Technologies in 2006 and, as the company’s chief technology officer, is responsible for strategic alliances, technology, and thought leadership. This content originally appeared on ISSSource. Edited by Chris Vavra, production editor, CFE Media,

ONLINE extra

– See additional stories from Kube and from ISSSource linked below.

Original content can be found at