Cybersecurity

What the IEC 62443 standard does for industrial cybersecurity

IEC 62443 is the international standard for the security for industrial automation control systems (IACS) and its importance is growing as networks and controllers become intertwined.

By H-ON Consulting April 8, 2021
Courtesy: H-ON Consulting

IEC 62443 is the international standard for the security for industrial automation control systems (IACS). It was set up almost twenty years ago by a group of volunteers belonging to the SP99 Committee, established by the International Society of Automation. It was later reviewed and adopted by the International Electrotechnical Commission (IEC); hence the original name was ISA 99/IEC 62443.

Even if not mandatory for companies, the application of this standard makes industrial control systems immune against cyber threats. In the current scenario, where the number of hazards for this type of technologies is significantly growing, the application of the IEC standard ensures that companies are immune from any potential hazards that may cause, among other things, the breakdown of equipment, freeze in production, as well as unexpected costs related to the repairing of control systems, and profit loss.

This international standard was therefore set up to protect the Industry 4.0 making the sharing of data from outwards to inwards, and vice-versa, safe and reliable.

IEC 62443 compliance and cybersecurity lifecycle

Before examining which specifications of the industrial cybersecurity standard are the most relevant for Industry 4.0, it is necessary to clarify some fundamental terms to better understand this field.

IACS is synonymous with operations technology (OT) being a technology that interfaces with an operational process. In this context, the term is used to distinguish an IACS from an information technology (IT) device that aims at receiving and transmitting the information. Examples of IACS are industrial devices such as programmable logic controllers (PLCs), human-machine interfaces (HMIs) and supervisory control and data acquisition (SCADA) systems.

The IACS security lifecycle are the set of phases that must be carried out in order for the IACS protection to be in compliance with the cybersecurity requirements defined by the IEC standard. The phases of the IACS Security Lifecycle are assess, implement and maintain.

The cybersecurity management system (CSMS) represents the set of practices and actions aiming at identifying cyber risks and defining the most correct countermeasures.

The industrial automation control system (IACS) security lifecycle consists of three phases: Assess, implement and maintain. Courtesy: H-ON Consulting

The industrial automation control system (IACS) security lifecycle consists of three phases: Assess, implement and maintain. Courtesy: H-ON Consulting

The international IEC standard covers all phases of the IACS security lifecycle. It begins with the assessment of risks and vulnerabilities and ends with the maintenance of the security level performances in the long term.

The assess phase consists in the set of activities aiming at identifying high-level risks and analyzing vulnerabilities and low-level risks. It ends with the allocation of minimum cybersecurity requirements required for each component of the IACS system.

It is during the implement phase that companies wishing to protect themselves from cyber attacks shall define the entire CSMS as well as adopt procedures and strategies aiming at preventing cyber attacks and protecting their own industrial control systems. This consists of three steps.

Cybersecurity is, however, a process that needs to be constantly monitored and periodically implemented by means of maintenance activities (maintain phase) related to the safety level of industrial plants. This is the only way to ensure that data flow, which can be shared outwards, is safe from cyber threats, therefore avoiding catastrophic consequences for companies.

Why companies should comply with the IEC 62443 Standard

The compliance with the IEC 62443 international standard represents a guarantee both for the security of OT data to be shared with the IT and the entire production sector. It is therefore possible to avoid any possible contamination with “infected” data.

However, when looking at the future, industrial product safety may only be a mirage if we don’t apply for adequate security for industrial automation control system against cyber attacks. For this reason, we all have to be aware of this scenario.

As consultants in the field, we have created a dedicated team of certified specialists in accordance with the ISA99/IEC62443 Cybersecurity Fundamentals Specialist and ISA99/IEC62443 Cybersecurity Risk Assessment Specialist standards. Our goal is to help companies adopt real security measures that are long-lasting and in compliance with the IEC 62443 standard for every single phase of the IACS security lifecycle.

– This article originally appeared on H-ON Consulting’s website. H-ON Consulting is a CFE Media content partner. Edited by Chris Vavra, web content manager, Control Engineering, CFE Media and Technology, cvavra@cfemedia.com.


H-ON Consulting