The ISA/IEC 62443 Series: Security For Industrial Automation and Control Systems (IACS)
The ISA/IEC 62443 Series: Security For Industrial Automation and Control Systems (IACS)
Asset Owner
The operator of the IACS and the Equipment Under Control
Provides support activities for an Automation Solution Maintenance Service Provider Principal
Provides integration activities for an Automation Solution including design, Roles Developed to secure industrial automation and control systems (IACS) throughout their lifecycle
installation, configuration, testing, commissioning, and handover to the Asset Owner
Integration Service Provider
IACS technologies are central to critical infrastructure
Manufactures and supports a hardware and/or software product Product Supplier
Implementing IEC 62443 can mitigate the effects and often prevent successful cyber-attacks
IACS and Automation Solution
he series approaches the cybersecurity challenge in a holistic way, bridging the gap between
T
Security Program (ISMS/CSMS)
operations and information technology; and between process safety and cybersecurity
Identification
1. Concept IS – International Standard
Concept
Intro The document types TR – Technical Report
Definition 2. Functional analysis
TS – Technical Specification
Functional design
Security maturity I ndustrial Automation and ollection of personnel, hardware, software, and policies involved in the operation of the
C
Detailed design 3. Implementation Control Systems (IACS) industrial process and that can affect or influence its safe, secure, and reliable operation
phases and Steps
Construction Security Prevention of illegal or unwanted penetration of, or interference with the proper and intended operation of an IACS
Operations ctions required to preclude unauthorized use of, denial of service to, modifications to,
A
4. Operations Cybersecurity disclosure of, loss of revenue from, or destruction of critical systems or informational assets
Compliance monitoring
ype of loosely coupled distributed monitoring and control system commonly
T
Disposal upervisory control and data acquisition
S
associated with electric power transmission and distribution systems, oil and
5. Recycle and disposal system (SCADA system) gas pipelines, and water and sewage systems
Dissolution
haracteristics of
C
ontrol use of selected devices, information or both to protect
C
against unauthorized operation of the device or use of information
FR2. Use Control (UC) Security for industrial IACS that are not
Higher availability
Security zone: Grouping of logical or physical assets that share common security requirements 1. General 1-2: Master glossary of terms and definitions
Zones and Conduits
A Conduit is defined as a logical grouping of communication channels 1-3: System security conformance metrics
that share common security requirements connecting two or more zones.
Security Level Parts Part 2-4: Security program requirements for IACS service providers
rotection against intentional misuse by sophisticated means with
P
moderate resources, IACS-specific knowledge and moderate motivation
SL3 2-5: Implementation guidance for IACS asset owners
Protection against intentional misuse using sophisticated means with IEC TR 62443-3-1:2009
extensive resources, IACS-specific knowledge and high motivation
SL4
3-1: Security technologies for IACS
I ndustrial communication networks - Network and system security -
SL-T (target) / SL-A (achieved) / SL-C (capability) Part 3-1: Security technologies for industrial automation and control systems
IEC 62443-3-2:2020
Ad-hoc process 1. Initial 3. System
3-2: Security risk assessment for system design
Requirements ecurity for industrial automation and control systems -
S
Documented process, but not necessarily repeatable 2. Managed Part 3-2: Security risk assessment for system design
Maturity Levels
Documented process that is repeatable and consistently followed 3. Defined (Practiced) IEC 62443-3-3:2013
3-3: System security requirements and security levels
I ndustrial communication networks - Network and system security -
Documented process that is repeatable, consistently followed, measured, and steadily improved 4. Improving Part 3-3: System security requirements and security levels